Revision history  [back]

This kind of thing generally needs multiple passes over the capture using tshark. First run a pass with a display filter to limit the output to the desired TLS traffic and add a T Fields -e tcp.stream argument to get a list of all tcp streams. Then use this list of streams to filter the original capture a single stream at a time and write the stream to a new file.