I'm trying to capture just the TLS negotiations to/from a web page, using tshark, and have stared at the BPF filter page here (
https://biot.com/capstats/bpf.html) and several other pages, and can't make it work.
This site has 4 different host A records fronting it in a CDN.
This is what my filter looks like, but tshark doesn't like it:
"C:\program files\wireshark\tshark.exe" -i 4 -w c:\tshark-capture\tlscap.pcapng ( host 151.101.1.55 || host 151.101.65.55 || host 151.101.129.55 || host 151.101.193.55 ) && ( ssl.handshake.type==1 || ssl.handshake.type==2 )
It emits the following
Capturing on 'Ethernet'
tshark: Invalid capture filter "( host 151.101.1.55" for interface 'Ethernet'.
That string isn't a valid capture filter (can't parse filter _expression_: syntax error).
See the User's Guide for a description of the capture filter syntax.
tshark:
'host' is not recognized as an internal or external command,
operable program or batch file.
'host' is not recognized as an internal or external command,
operable program or batch file.
'host' is not recognized as an internal or external command,
operable program or batch file.
If I drop the parens around the hosts, it captures, but doesn't limit the capture to the SSL handshake, which is annoying.
Can anyone tell me what I'm missing and/or done incorrectly?
Thanks,
Kurt