First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Not able to see client certificate in capture

  • retag add tags

Hi All,

I have capture the logs and when i open i am not able to see client certificate in info but when i sent to another peer they are able to see. We both using same wireshark version.

Can you please suggest how we can enable that info.

Sachin Nema's avatar
1
Sachin Nema
asked 2021-06-24 13:53:04 +0000
edit flag offensive 0 remove flag close merge delete

Comments

1

Difficult to say without access to the capture file, can you share it?
The difference may be down to profiles in use on each instance, are both Wireshark instances using the same profile?

grahamb's avatar grahamb (2021-06-24 14:01:52 +0000) edit
more
  • delete

can you please share the details where i can send the logs. Are you using Teams/Skype

Sachin Nema's avatar Sachin Nema (2021-06-24 14:14:56 +0000) edit
more
  • delete

Copy the capture to a public share, e.g. Google Drive, DropBox etc. and post a link to it back here.

grahamb's avatar grahamb (2021-06-24 14:21:03 +0000) edit
more
  • delete

As @grahamb stated, it's difficult to say without more information, but if I were to guess, I'd say it's likely that there are one or more differences in the applied preferences and if I were a betting man, I'd place my bet on TCP reassembly. Try comparing preferences and even performing a diff of the preferences files in use between the two systems.

cmaynard's avatar cmaynard (2021-06-24 14:28:57 +0000) edit
more
  • delete

https://drive.google.com/file/d/1yn_d...

I have uploaded the capture file there

Sachin Nema's avatar Sachin Nema (2021-06-24 14:30:12 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

The ClientCertificate is spread over frames 10, 11 and 12. In order for Wireshark to display the certificate, it needs to reassemble those frames and then it will show the Certificate in frame 12. If you use the default Wireshark profile, this should work. If you use a custom profile, please make sure that:

  • Checksum checking is disabled in the IP and TCP protocol preferences
  • Reassembly is enabled in the TCP and the TLS protocol preferences

Tshark should give the following output for your current profile if all is set correctly:

$ tshark  -G currentprefs | egrep '^#?(ip|tcp|tls)\..*(checksum|desegment).*'
#ip.check_checksum: FALSE
#tcp.check_checksum: FALSE
#tcp.desegment_tcp_streams: TRUE
#tls.desegment_ssl_records: TRUE
#tls.desegment_ssl_application_data: TRUE
$
SYN-bit's avatar
18.5k
SYN-bit
answered 2021-06-25 12:28:32 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer