When focusing on TLS handshake messages in Wireshark, which filter would you apply?

Focusing on the TLS protocol isolates the traffic that contains the handshake messages used to establish a secure session. The TLS filter lets Wireshark decode and display all TLS records, including the handshake messages like ClientHello, ServerHello, Certificate, and others that occur at the start of a TLS connection. This makes it straightforward to study how the secure session is negotiated, independent of the underlying application data. Other protocols don’t apply here. Filtering for HTTP would show HTTP data, which may follow the TLS handshake (and, if HTTPS is used, is encrypted), so it wouldn’t reliably reveal the handshake sequence. DNS and ICMP are unrelated to the TLS handshake and won’t show TLS negotiation messages at all. If you want to narrow further to just handshake messages within TLS, you could use a more specific filter like tls.handshake, but the general TLS filter is the correct starting point.