Schiltech's profile - activity

Thanks. It seems to partially solve the problem. Now I have some sites in tls 1.2 and tls 1.3 filtered out too. It appe

Hello,

I use Wireshark 3.1.0 and tshark 3.0.3 in my dailywork and often have to analyse pcaps with huge amount of encrypted tls application data which I do not need.

I usually simply filter out those packets with the filter "not tls.app_data" on wireshark GUI which works fine but I would like to directly remove those packets from the source pcaps via an automated script using tshark.

I have tried :

tshark -F pcap -r source.pcap -w filtered.pcap -Y "not tls.app_data"

tshark -F pcap -r source.pcap -w filtered.pcap -Y "not (tls.record.content_type == 23 or tls.record.opaque_type ==23)"

In both commands only TLS 1 seems to be filtered out and the TLS 1.2 and TLS 1.3 packets are still there

tshark seems to not understand that tls 1.2 and tls 1.3 are to be considered as TLS packets.

I would like to remove only the application data, I still need to keep the other type of tls record.

Any help is welcome.

EDIT : Extra info my tshark is using : libpcap version 1.7.4, with GnuTLS 3.4.10, with Gcrypt 1.6.5,with zlib 1.2.8.

I'm starting to suspect that those lib version don't support TLS 1.2 or 1.3.

Filter out tls 1.2/1.3 app_data using tshark Hello, I use Wireshark 3.1.0 and tshark 3.0.3 in my dailywork and often ha

Filter out tls 1.2/1.3 app_data using tshark Hello, I use Wireshark 3.1.0 and tshark 3.0.3 in my dailywork and often ha