Revision history [back]

-e is not a filter, that's an output field selector. To filter (using display filter syntax use -Y, e.g.

tshark -r capture.pcapng -Y "tls.record.content_type && tls.record.opaque_type" -T fields -e "tls.record.content_type -e tls.record.opaque_type" -E separator="|"

Note that this display filter will only select records that have both fields present.