Wireshark-users: Re: [Wireshark-users] tshark reassembled TLSv1 record: Can it display certificat
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 18 Dec 2009 15:40:29 -0800
On Dec 18, 2009, at 3:00 PM, Magnuson, Steve wrote:

> Is there a way to tell tshark to display, for example, x509sat.printableString and x509af.utcTime attributes for each certificate in a certificate chain?

Not with "-T fields" and "-e".  See below.

> This command will only show the attributes for the first certificate in a certificate chain in a reassembled TLSv1 record:
> 
> tshark -r capture.pcap -T fields -e ip.src -e ip.dst -e x509sat.printableString -e x509af.utcTime
> 
> In Wireshark, it shows the reassembled certificate chain and you can look at attributes for each certificate, but tshark only shows the attributes for the first certificate - unless I'm missing something.

"-T text" (or no "-T" flag, as "text" is the default) plus "-V" will show all the certificates, just as Wireshark will (not surprising, as they're showing the same thing - the packet details).

"-T fields" + "-e {field}" only shows the first instance of {field} that it finds.  Note that if it were to be changed to print more instances, the resulting output would have to be parseable regardless of how many instances of {field} are in a packet, even if different packets in the capture have different numbers of instances of the field.  (I.e., printing all instances, with tabs or other separators between them, is not the answer; that could be made to work if only one of the fields being displayed has multiple instances, as that could be made the last field in the line, but won't work if more than one of the fields could have multiple instances.  It might require some tag+value format, so that each field value in the output for a packet is tagged with the field name.)