I am interested in running packet beat with a -I option to parse TLS metadata stored in a file.
I am only interested in Client Hello, Server Hello TLS messages.
I would like to know if the capture file should have only the TLS packets which start with 16 03 03 or it needs to have complete TCP IP packets.
The reason is I do not want to create and process big files.
Please let me know if there is any other way to only put the complete TLS packet and then run the Packetbeat like packetbeat.exe -e -c conf.yml -t -I .\a.log --d "publish"
or if there is any other option.