 | 1 | initial version |
As @grahamb mentioned, Wireshark does not have a filter that is session aware for TLS. But luckily Wireshark does have a Lua scripting engine on board. I wrote a Lua script that will work as you described. Use the filter TLSextend.state==1 to see all packets from the TCP streams that contain a ClientHello, but not a ServerHello.
See: https://github.com/syn-bit/TLSextend
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
