 | 1 | initial version |
What you filter on is the TLS ContentType (of the first record), which according to IANA, is 22 for 'handshake'. The fact that you filter on the port reserved for HTTPS (443) does give you a reasonable expectation of the start of a HTTPS transfer.
