Filter out tls 1.2/1.3 app_data using tshark
Hello,
I use Wireshark 3.1.0 and tshark 3.0.3 in my dailywork and often have to analyse pcaps with huge amount of encrypted tls application data which I do not need.
I usually simply filter out those packets with the filter "not tls.app_data" on wireshark GUI which works fine but I would like to directly remove those packets from the source pcaps via an automated script using tshark.
I have tried :
tshark -F pcap -r source.pcap -w filtered.pcap -Y "not tls.app_data"
tshark -F pcap -r source.pcap -w filtered.pcap -Y "not (tls.record.content_type == 23 or tls.record.opaque_type ==23)"
In both commands only TLS 1 seems to be filtered out and the TLS 1.2 and TLS 1.3 packets are still there
tshark seems to not understand that tls 1.2 and tls 1.3 are to be considered as TLS packets.
I would like to remove only the application data, I still need to keep the other type of tls record.
Any help is welcome.
EDIT : Extra info my tshark is using : libpcap version 1.7.4, with GnuTLS 3.4.10, with Gcrypt 1.6.5,with zlib 1.2.8.
I'm starting to suspect that those lib version don't support TLS 1.2 or 1.3.
Not sure if it's relevant, but Wireshark always performs 2-pass analysis of the capture, whereas tshark will default to a single pass unless the
-2
parameter is supplied.As you're reading and writing, you may also need to use a
-R
read filter to accomplish your task.I'm not sure if the library versions have anything to do with the issue as it's down to the libwireshark dissection engine, but you could check the versions of those libraries used by Wireshark in the Help -> About Wireshark dialog to see if there are any differences.