Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

In a bash-like shell you can do:

tshark -r <file> -w <new-file> -Y "tcp.stream in { $(tshark -r <file> -Y tls.handshake.extensions_server_name=="outlook.office365.com" -T fields -e tcp.stream | sort | uniq | xargs)"

Where tshark -r <file> -Y tls.handshake.extensions_server_name=="outlook.office365.com" -T fields -e tcp.stream lists all the tcp.stream numbers of the client hellos that contain the requested SNI.

Then ... | sort | uniq | xargs creates a list of unique tcp.stream numbers

Then "tcp.stream in { $(<command>) }" creates a display filter based on the output of the previous command.

And of course tshark -r <file> -w <new-file> - Y <filter> saves a new pcap file with the filtered data.