Getting Certs Out of Wireshark

Packet capture tools are oscilloscopes to network programmers, I couldn't get anything done without near continual use of tcpdump and wireshark. In a pinch tcpdump can be used instead of writing server code.

Wireshark has support for a load of protocols and can really help with debugging. Recently I added dtls support to NEAT. DTLS is a protocol enhancement to TLS to support datagram traffic, when it is working all of the traffic is basically random noise.

Wireshark Cert Extraction

I had trouble gettting server certs to work correctly with DTLS, thankfully Wireshark can reassemble the datagrams into a coherent certificate and export the data out to a file. I can use this to manually check the cert is being sent correctly.

The process is something like this:

1. Import pcap
2. Find the full reassembled server hello
3. Expand the DTLS body
4. Expand the DTLS Record, Certificate (Reassembled)
5. Right click on 'Handshake Protocol: Certificate(Reassembled)' 
6. Select Export Packet Bytes

After than I had a TLS Cert in DER format, DER is just he raw cert bytes. With this I could then verify using openssl that the cert chain was valid.

Reading: Abaddon's Gate

blog morning

Posted on