How can you identify TLS handshake messages in a capture?

To identify TLS handshake messages, look at the TLS protocol layer in your capture. The handshake is the sequence that sets up a secure session, so filtering for TLS (or SSL on older captures) focuses your view on the relevant traffic. Once you filter for TLS and expand the TLS protocol in a packet, you’ll see the handshake message types: ClientHello, ServerHello, Certificate, ServerKeyExchange, and Finished. These messages trace the negotiation of cryptographic parameters and the establishment of the secure channel, with the Finished message indicating the handshake has completed and normal encrypted data can follow. Other filters don’t fit this task because they target different protocols or layers: an HTTP filter would show web responses, not the handshake; a DNS filter would show name lookups; and ARP is a link-layer protocol unrelated to TLS. The TLS approach directly highlights the handshake steps, usually occurring after the TCP connection is established (often on port 443), and it’s the clearest way to identify the TLS handshake in a capture.