Revision history [back]

Hello,

I use Wireshark 3.1.0 and tshark 3.0.3 in my dailywork and often have to analyse pcaps with huge amount of encrypted tls application data which I do not need.

I usually simply filter out those packets with the filter "not tls.app_data" on wireshark GUI which works fine but I would like to directly remove those packets from the source pcaps via an automated script using tshark.

I have tried :

tshark -F pcap -r source.pcap -w filtered.pcap -Y "not tls.app_data"

tshark -F pcap -r source.pcap -w filtered.pcap -Y "not (tls.record.content_type == 23 or tls.record.opaque_type ==23)"

In both commands only TLS 1 seems to be filtered out and the TLS 1.2 and TLS 1.3 packets are still there

tshark seems to not understand that tls 1.2 and tls 1.3 are to be considered as TLS packets.

I would like to remove only the application data, I still need to keep the other type of tls record.

Any help is welcome.

Hello,

I use Wireshark 3.1.0 and tshark 3.0.3 in my dailywork and often have to analyse pcaps with huge amount of encrypted tls application data which I do not need.

I usually simply filter out those packets with the filter "not tls.app_data" on wireshark GUI which works fine but I would like to directly remove those packets from the source pcaps via an automated script using tshark.

I have tried :

tshark -F pcap -r source.pcap -w filtered.pcap -Y "not tls.app_data"

tshark -F pcap -r source.pcap -w filtered.pcap -Y "not (tls.record.content_type == 23 or tls.record.opaque_type ==23)"

In both commands only TLS 1 seems to be filtered out and the TLS 1.2 and TLS 1.3 packets are still there

tshark seems to not understand that tls 1.2 and tls 1.3 are to be considered as TLS packets.

I would like to remove only the application data, I still need to keep the other type of tls record.

Any help is welcome.