 | 1 | initial version |
Works fine with me, using tshark 3.0.2
Are you using the same settings? Tshark will use your default profile if you don't add -C <profilename>, so if for instance your default profile does not have TCP reassembly enabled (but the profile you use with Wireshark does), you might not get the results you want.
You can either create a profile with all the right settings and use that with tshark, or you can specify the important preference settings in your command line with -o options:
tshark -F pcap -r <file> -w <new> \
-Y not (tls.record.content_type == 23 or tls.record.opaque_type ==23)" \
-o tcp.check_checksum:FALSE \
-o tcp.desegment_tcp_streams:TRUE \
-o tcp.reassemble_out_of_order:TRUE \
-o tcp.no_subdissector_on_error:TRUE \
-o tls.desegment_ssl_records:TRUE \
-o tls.desegment_ssl_application_data:TRUE