Manualshelf

Quick Start Guide

ManualsBrandsWireshark ManualsSoftware$model.subName
11121314151617181920
Wireshark Quickstart Guide
20
Appendix 2: Filters in Wireshark
Wireshark can filter results so that you only see certain packets.
An example of a filter condition would be to only remember
packets sent to/from a specific IP address.
Wireshark uses two types of filters, capture filters and display
filters. Capture filters are used to decide which packets should
be kept. Only packets that meet filter criteria will be kept.
Display filters work after the capture is completed. They restrict
which packets are shown, but they don’t actually discard any
information. Capture filters would be more useful on very busy
networks when you need to limit the amount of data your
machine needs to process. On the other hand, display filters
don’t actually save any memory; display filters let you
temporarily focus an analysis without losing any underlying
information.
Capture filters can be set in two different places. Go to the
Capture menu and select “Options” and you will find a selection
for capture filters. Alternatively, Go to the Capture menu and
select “Capture Filters”. From the “Capture Filters” dialog box
you will see a help menu that will explain how the function
works.
Display filters can be entered at the top of the display screen.
Figure 11 below shows a display filter entered into the display
filter dialog box at the top of the screen.
Figure 11: Using Display Filters
The display filter shown in the image above will only display
packets if they are from/to IP address 64.236.16.52. This
specific filter limited packets to those involved with CNN.com.
If you also captured traffic to USAToday.com, you would not
be able to see it until you clicked on “Clear” to the right of the
filter area. A more specific filter to restrict the display of
packets within a single session would be “(ip.addr eq
64.236.16.52 and ip.addr eq 192.168.1.69) and (tcp.port eq 80
and tcp.port eq 1102)”. In this case both endpoints are explicitly
selected (both IP and ports used in the session)
Even if you have never
entered a filter, some
commands
automatically enter
filters for you – for
example the “Follow
TCP Stream”
command. If you find
data is missing, make
sure that there is not a
display filter entered
at the top of the
screen. You can click
on the word “Clear”
to the right of the filter
text box.