Comment by xinxolHH for TLS negotiates the TLS version during the handshake. The client reports its minimum version through the tls.record.version field and the server agrees to it in the Server Hello. If you would like to understand what versions are in use, it suffices to extract TLS Server Hello handshake messages using the filter:tls.handshake.type==2 Then inspect the Server Hello version field:tls.handshake.version or for TLS 1.3:tls.handshake.extensions.supported_version For example, to extract both version fields for Server Hello messages, it will show something like 0x00000303 (for TLS 1.2) or 0x00000304 0x00000303 (for TLS 1.3):tshark -r your.pcapng -T fields -Y tls.handshake.type==2 -e tls.handshake.extensions.supported_version -e tls.handshake.version Alternatively you can dump the Protocol column like this, it will show something like TLSv1.2 or TLSv1.3:tshark -r your.pcapng -T fields -Y tls.handshake.type==2 -e _ws.col.Protocol For more details on the version negotiation, including TLS 1.3 considerations, see this answer.

Thanks!, this is closer to what I was looking for, I have added the ip.src on the fields so I can get the "dump" with each line with the correspoding ip address on the screen in a text file. I am bit surprise that it is not possible to have a written pcapng file with only those handshake packets. Thanks & Best Regards.