First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Tshark select end certificate only

Hey all,

I'm doing some research on certificate validity and therefore I'd like to export the Notbefore and Notafter (x509af.utcTime) and some other data using Tshark. Unfortunately this value exists multiple times in the certificate packet (End entity certificate - > Intermediate certificate -> Root certificate (chain of trust)).

I'm desperately looking for a filter variable where I can output this single certificate, without the intermediate and root one.

Thanks in advance!

wessel145's avatar
1
wessel145
asked 2018-10-10 10:52:28 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

If you're using tshark's -T fields along with -e x509af.utcTime, then you may be able to achieve what you want by making use of the -E occurrence=f option, which will only give you the first occurrence of the field and not all occurrences. Here I'm assuming the first occurrence is the one you're after. Example:

tshark -r file.pcap -Y x509af.utcTime -T fields -e frame.number -e x509af.utcTime -E occurrence=f

From the tshark man page:

occurrence=f|l|a Select which occurrence to use for fields that have multiple occurrences. If f the first occurrence will be used, if l the last occurrence will be used and if a all occurrences will be used (this is the default).

Alternatively, you can specify the occurrence of individual fields by using the gui.column.format option. For example:

Windows:

tshark -r file.pcap -Y x509af.utcTime -o "gui.column.format:\"No.\",\"%m\",\"x509af.utcTime\",\"%Cus:x509af.utcTime:1\""

*nix:

tshark -r file.pcap -Y x509af.utcTime -o 'gui.column.format:"No.","%m","x509af.utcTime","%Cus:x509af.utcTime:1"'

Run tshark -G column-formats for help with built-in column formats, such as %m.

cmaynard's avatar
11.1k
cmaynard
answered 2018-10-12 16:48:06 +0000, updated 2018-10-15 13:54:55 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks for your extended reply! This already helped me a lot. Unfortunately the occurrence option returns the first occurrence in every frame, for instance in my sample pcap this is the output:

12      18-08-18 00:00:00 (UTC)
90      18-09-25 07:43:00 (UTC)
168     18-07-30 00:00:00 (UTC)
203     18-08-14 00:00:00 (UTC)
248     18-09-25 07:43:00 (UTC)
256     18-09-25 07:43:00 (UTC)
268     18-09-25 07:43:00 (UTC)
399     18-09-26 14:39:15 (UTC)
491     18-09-26 14:39:15 (UTC)

With some custom scripting i could get the first value out of this array, but preferably I would like to have a command that does this instantly (so output = 18-08-18 00:00:00 (UTC))

wessel145's avatar wessel145 (2018-10-15 10:05:36 +0000) edit
more
  • delete

I can't think of a way to accomplish that without piping the output to something else, with the simplest solution probably being to pipe it to head -n 1.

cmaynard's avatar cmaynard (2018-10-15 13:56:07 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer