Wireshark: Display filter vs Capture filter
Wireshark: Display filter vs Capture filter
In a perfect world, there would be no need to monitor network traffic looking for interlopers. Since we don’t live in a perfect world, I wanted to demonstrate a little piece of the freely downloadable network packet sniffer called Wireshark. When running a full-bore packet capture session, you may find that data are accumulating quite rapidly and likely you are obtaining much more than you want to look at. In cases like this, filtering is a must. Today I will discuss two ways to filter in Wireshark: display filter and capture filter.
Don’t get me wrong – Wireshark is well documented. I just want to show the difference in a more visual way, ‘cause some people learn better that way! For my screenshots, I will be using what is (at the time of this writing) the latest version, which is 1.12.3. Let us begin.
The first type of filter we will discuss is the capture filter. The type of filter controls what type of traffic is captured, and disregards all non-matching traffic. It is easily accessed by clicking the icon at the top left of the main window. It is shown in figure 1:
Once you click that, you will see (with some of the window omitted) what is shown in figure 2:
If you already know your filter topic, you can just type in the area noted by the red box. Or you can select the Capture Filter button and choose from the precompiled list. You can also edit the existing Capture Filter choices when clicking that button. Selections and editing appearance is shown in figure 3:
As an example, I have created a filter called My machine. It watches for traffic containing the IP address of the machine on which I created this blog, which is 10.1.10.129. Let see what happens when I apply this filter and then ping 18.104.22.168:
As you can see, my capture ONLY includes traffic from or to the specified IP address. Then I don’t have to look at all the other traffic happening on the machine I am using to run Wireshark. Depending on the network, this could be a substantial amount of traffic!
The other type of filter I will discuss is the display filter. The control what is seen from an EXISTING packet capture, but does not influence WHAT traffic is actually captured. It is accessed as shown in figure 5:
In the filter box, you can just type what you want to filter, or, if you don’t know it by heart, click the Expression button and select from the existing list of available filters. Figure 6 shows, for example, some of the IPv4 display filters:
Let’s choose a source address of my host machine again. I already have a capture running. let’s see what it looks like before applying the filter:
Notice I have traffic from all sorts of source IP addresses. Now to apply the filter:
This is a very cool way to reduce the amount of information that must be perused for a network administrator to narrow down the cause of an issue or the location of an intruder. Let the machine filter what you don’t want and closely examine the rest. As I mentioned previously, Wireshark is well-documented. I hope that visual screenshots have assisted the visual learners out there!
If you have any comments or questions, please feel free to post them….
Until next time.
You May Also Like
In this video, you will gain an understanding of Agile and Scrum Master Certification terminologies and concepts to help you make better decisions in your Project Management capabilities. Whether you’re a developer looking to obtain an Agile or Scrum Master Certification, or you’re a Project Manager/Product Owner who is attempting to get your product or … Continue reading Agile Methodology in Project Management
In this SharePoint training video, I want to talk about the Navigation Controls in SharePoint. They tend to fall into two kind of different categories; one with the navigation controls in a typical Collaboration Site such as a Team Site or a Project Site. These are Sites that are based on the Team Site Template … Continue reading Using Navigation Controls in a Collaboration Site in SharePoint
How does an investigator hunt down and identify unknown malware? In this recording of our IT Security training webinar on April 21, 2015, Security expert Mike Danseglio (CISSP / CEH) performed several malware investigations on infected computers and identify symptoms, find root cause, and follow the leads to determine what’s happening. He demonstrated his preferred … Continue reading Detailed Forensic Investigation of Malware Infections – April 21, 2015