A simple tshark EAP certificate extractor

extract_EAP.sh

#!/bin/sh
# Simple tshark WiFi EAP certificate extractor
# By [email protected]
# Updated by :
# Michael Kruger (cablethief)
# Guillem Lefait
# All rights reserved 2018

if [ ! -x $(which tshark) ]; then
  echo "tshark not installed"
  exit 0
fi

if [ "$#" -ne 2 ]; then
  echo "Usage: $0 [-r file.cap | -i interface]"
  echo "Extracted certificates will be written to <file|int>.cert.rand.der"
  exit 0
fi

tmpbase=$(basename  $2)
tshark -r "$tmpbase" -Y "ssl.handshake.certificate or tls.handshake.certificate" \
	-T fields -e frame.number -e "ssl.handshake.certificate" -e "ns_cert_exts.CertType" \
	-E occurrence=a \
	| while read frame_number certificates cert_types;
do
	pos=1
	paste <(echo $certificates | sed 's#,#\n#g') <(echo $cert_types | sed 's#,#\n#g') \
		| while read certificate cert_type; 
	do
	
		file_output="${tmpbase}.${frame_number}.${pos}.${cert_type}.der"
		pos=$((pos+1))
		echo $certificate | sed "s/://g" | \
			xxd -ps -r | \
			tee $file_output | \
			openssl x509 -inform der -text;
	done;
done;

Updated to add the certificate type in the filename. It helps to distinguish between CA and SSL.
For example, with the following output :

recon-19.cap.1094.1.40.der
recon-19.cap.1094.2.07.der

we see that two certificates are present in the 1094th frame.

The first has type 40 and is the SSL certificate:

0... .... = ssl-client: False
.1.. .... = ssl-server: True
..0. .... = smime: False
...0 .... = object-signing: False
.... 0... = reserved-for-future-use: False
.... .0.. = ssl-ca: False
.... ..0. = smime-ca: False
.... ...0 = object-signing-ca: False

The second, with type 07 is the CA certificate:

0... .... = ssl-client: False
.0.. .... = ssl-server: False
..0. .... = smime: False
...0 .... = object-signing: False
.... 0... = reserved-for-future-use: False
.... .1.. = ssl-ca: True
.... ..1. = smime-ca: True
.... ...1 = object-signing-ca: True