I just figured out the ssl.handshake error - thanks for confirming. I'll take another run at it.
Kurt On Mon, Mar 13, 2023 at 3:48 PM Jaap Keuter <jaap.keu...@xs4all.nl> wrote: > Hi, > > You would have to double quote the capture filter expression to be passed > into tshark in the first place. > Furthermore “ssll.handshake” isn’t in the capture filter syntax, these are > display filter expressions which cannot be passed in the capture engine. > > > On 13 Mar 2023, at 22:34, Kurt Buff <kurt.b...@gmail.com> wrote: > > I'm trying to capture just the TLS negotiations to/from a web page, using > tshark, and have stared at the BPF filter page here ( > https://biot.com/capstats/bpf.html) and several other pages, and can't > make it work. > > This site has 4 different host A records fronting it in a CDN. > > This is what my filter looks like, but tshark doesn't like it: > "C:\program files\wireshark\tshark.exe" -i 4 -w > c:\tshark-capture\tlscap.pcapng ( host 151.101.1.55 || host 151.101.65.55 > || host 151.101.129.55 || host 151.101.193.55 ) && ( ssl.handshake.type==1 > || ssl.handshake.type==2 ) > > It emits the following > Capturing on 'Ethernet' > tshark: Invalid capture filter "( host 151.101.1.55" for interface > 'Ethernet'. > > That string isn't a valid capture filter (can't parse filter expression: > syntax error). > See the User's Guide for a description of the capture filter syntax. > tshark: > 'host' is not recognized as an internal or external command, > operable program or batch file. > 'host' is not recognized as an internal or external command, > operable program or batch file. > 'host' is not recognized as an internal or external command, > operable program or batch file. > > If I drop the parens around the hosts, it captures, but doesn't limit the > capture to the SSL handshake, which is annoying. > > Can anyone tell me what I'm missing and/or done incorrectly? > > Thanks, > Kurt > > ___________________________________________________________________________ > Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org> > Archives: https://www.wireshark.org/lists/wireshark-users > Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users > mailto:wireshark-users-requ...@wireshark.org > ?subject=unsubscribe >
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-requ...@wireshark.org?subject=unsubscribe
