This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capture filter with SSL hex output from tshark

0

I'm using the answer from this question to hex data from SSL traffic, how do I add a capture filter along with this so that I get hex dump of only that hosts' application data. I tried using 'host gateway.push.apple.com' but said that its a capture filter . I need to basically filter for this host and need to get decrypted hex dump of application data alone. Can tshark do that?

asked 23 Jan '15, 13:34

arungeorg81's gravatar image

arungeorg81
1112
accept rate: 0%

converted 23 Jan '15, 14:03

grahamb's gravatar image

grahamb ♦
19.8k330206

One Answer:

0

Assuming you're using a command line similar to that of the answer to which you attached your question, i.e.

tshark -Vnxr pcap -R (filter) > textfile

Then the -R (filter) part of the answer is for a display filter. For a capture filter use -f (filter), as explained in the tshark help file or the output of tshark -h:

Capture interface:                                                           
  -i <interface>      name or idx of interface (def: first non-loopback)
  -f <capture filter>      packet filter in libpcap filter syntax            
  ...

answered 23 Jan '15, 14:07

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%