Invest in yourself, Learn Today and Lead Tomorrow! Special Learner Discount - Get 20% OFF Use Coupon: LEARN20 Now!
+011 4734 4723info@vskills.in

Capture Filters

Capture filters are a powerful feature in Wireshark that allow you to specify exactly which network traffic should be captured and stored. Unlike display filters, which are applied to data after it has been captured, capture filters operate at the level of the packet capture engine, preventing unwanted traffic from even being recorded. Using effective capture filters is crucial for optimizing performance, conserving disk space, and focusing your analysis on the relevant data.

Syntax and Structure

Capture filters are based on a Berkeley Packet Filter (BPF) syntax. While the full BPF syntax can be quite complex, Wireshark provides a user-friendly way to create common filters using keywords and operators. Here are some fundamental concepts:

  • Primitives: These are basic expressions that specify a particular attribute of a packet. Common primitives include:
    • host <hostname> or <ip>: Matches traffic to or from the specified host.
    • net <network> or <ip>/<mask>: Matches traffic within the specified network.
    • port <port>: Matches traffic using the specified TCP or UDP port.
    • src <hostname> or <ip>: Matches traffic originating from the specified host.
    • dst <hostname> or <ip>: Matches traffic destined for the specified host.
    • src port <port>: Matches traffic originating from the specified port.
    • dst port <port>: Matches traffic destined for the specified port.
    • proto <protocol>: Matches traffic of the specified protocol (e.g., tcp, udp, icmp, arp).
    • ether src <mac>: Matches traffic originating from the specified MAC address.
    • ether dst <mac>: Matches traffic destined for the specified MAC address.
    • vlan <vlan_id>: Matches traffic belonging to the specified VLAN.
  • Operators: These combine primitives to create more complex filters:
    • and or &&: Both conditions must be true.
    • or or ||: At least one of the conditions must be true.
    • not or !: Negates the following condition.
  • Parentheses: Used to group expressions and control the order of evaluation.

Common Capture Filter Examples

  • Capture traffic to or from a specific IP address: host 192.168.1.100
  • Capture traffic within a specific network range: net 192.168.1.0/24
  • Capture traffic on a specific TCP port (e.g., HTTP on port 80): tcp port 80
  • Capture traffic on a specific UDP port (e.g., DNS on port 53): udp port 53
  • Capture ICMP traffic (used by ping): icmp
  • Capture traffic between two specific hosts: host 192.168.1.10 and host 10.0.0.5
  • Capture HTTP or HTTPS traffic: tcp port 80 or tcp port 443
  • Capture all traffic except to a specific host: not host 192.168.1.1
  • Capture traffic from a specific MAC address: ether src 00:11:22:
Pulkit Dheer
Capture Options
Display Filters

Get industry recognized certification – Contact us

keyboard_arrow_up
Open chat
Need help?
Powered by Joinchat
Hello 👋
Can we help you?