User Guide
Capturing Live Network Data
69
ether|ip broadcast|multicast This primitive allows you to filter on either Ethernet or IP
broadcasts or multicasts.
<expr> relop <expr> This primitive allows you to create complex filter expressions that
select bytes or ranges of bytes in packets. Please see the tcpdump
man page at http://www.tcpdump.org/tcpdump_man.html for more
details.
4.12.1. Automatic Remote Traffic Filtering
If Wireshark is running remotely (using e.g. SSH, an exported X11 window, a terminal server, ...), the
remote content has to be transported over the network, adding a lot of (usually unimportant) packets to
the actually interesting traffic.
To avoid this, Wireshark tries to figure out if it's remotely connected (by looking at some specific
environment variables) and automatically creates a capture filter that matches aspects of the connection.
The following environment variables are analyzed:
SSH_CONNECTION (ssh) <remote IP> <remote port> <local IP> <local port>
SSH_CLIENT (ssh) <remote IP> <remote port> <local port>
REMOTEHOST (tcsh, others?) <remote name>
DISPLAY (x11) [remote name]:<display num>
SESSIONNAME (terminal server) <remote name>
4.13. While a Capture is running ...
While a capture is running, the following dialog box is shown:
Figure 4.12. The "Capture Info" dialog box
This dialog box will inform you about the number of captured packets and the time since the capture was
started. The selection of which protocols are counted cannot be changed.