1 | initial version |
In a bash-like shell you can do:
tshark -r <file> -w <new-file> -Y "tcp.stream in { $(tshark -r <file> -Y tls.handshake.extensions_server_name=="outlook.office365.com" -T fields -e tcp.stream | sort | uniq | xargs)"
Where tshark -r <file> -Y tls.handshake.extensions_server_name=="outlook.office365.com" -T fields -e tcp.stream
lists all the tcp.stream numbers of the client hellos that contain the requested SNI.
Then ... | sort | uniq | xargs
creates a list of unique tcp.stream numbers
Then "tcp.stream in { $(<command>) }"
creates a display filter based on the output of the previous command.
And of course tshark -r <file> -w <new-file> - Y <filter>
saves a new pcap file with the filtered data.