Wireshark: Display filter vs Capture filter

Home > Blogs > Cisco > Wireshark: Display filter vs Capture filter

Wireshark: Display filter vs Capture filter

Like This Blog 0Mark Jacob
Added by June 30, 2015

In a perfect world, there would be no need to monitor network traffic looking for interlopers. Since we don’t live in a perfect world, I wanted to demonstrate a little piece of the freely downloadable network packet sniffer called Wireshark. When running a full-bore packet capture session, you may find that data are accumulating quite rapidly and likely you are obtaining much more than you want to look at. In cases like this, filtering is a must. Today I will discuss two ways to filter in Wireshark: display filter and capture filter.

Don’t get me wrong – Wireshark is well documented. I just want to show the difference in a more visual way, ‘cause some people learn better that way! For my screenshots, I will be using what is (at the time of this writing) the latest version, which is 1.12.3. Let us begin.

The first type of filter we will discuss is the capture filter. The type of filter controls what type of traffic is captured, and disregards all non-matching traffic. It is easily accessed by clicking the icon at the top left of the main window. It is shown in figure 1:

001-Wireshark-Display-filter-vs-Capture-filter

Figure 1

Once you click that, you will see (with some of the window omitted) what is shown in figure 2:

You may also like:  How to Change Routing Tables with a Windows Command Prompt - From the CompTIA Network + Course

002-Wireshark-Display-filter-vs-Capture-filter

Figure 2

If you already know your filter topic, you can just type in the area noted by the red box. Or you can select the Capture Filter button and choose from the precompiled list. You can also edit the existing Capture Filter choices when clicking that button. Selections and editing appearance is shown in figure 3:

003-default-profile-Wireshark-Display-filter-vs-Capture-filter

Figure 3

As an example, I have created a filter called My machine. It watches for traffic containing the IP address of the machine on which I created this blog, which is 10.1.10.129. Let see what happens when I apply this filter and then ping 8.8.8.8:

004-filter-by-machine-Wireshark-Display-filter-vs-Capture-filter

Figure 4

As you can see, my capture ONLY includes traffic from or to the specified IP address. Then I don’t have to look at all the other traffic happening on the machine I am using to run Wireshark. Depending on the network, this could be a substantial amount of traffic!

The other type of filter I will discuss is the display filter. The control what is seen from an EXISTING packet capture, but does not influence WHAT traffic is actually captured. It is accessed as shown in figure 5:

005-Wireshark-Display-filter-vs-Capture-filter

Figure 5

In the filter box, you can just type what you want to filter, or, if you don’t know it by heart, click the Expression button and select from the existing list of available filters. Figure 6 shows, for example, some of the IPv4 display filters:

You may also like:  How MAC Addresses Are Assigned to Devices

006-ipv4-Wireshark-Display-filter-vs-Capture-filter

Figure 6

Let’s choose a source address of my host machine again. I already have a capture running. let’s see what it looks like before applying the filter:

007-before-filter-Wireshark-Display-filter-vs-Capture-filter

Figure 7

Notice I have traffic from all sorts of source IP addresses. Now to apply the filter:

008-filter-applied-Wireshark-Display-filter-vs-Capture-filter

Figure 8

This is a very cool way to reduce the amount of information that must be perused for a network administrator to narrow down the cause of an issue or the location of an intruder. Let the machine filter what you don’t want and closely examine the rest. As I mentioned previously, Wireshark is well-documented. I hope that visual screenshots have assisted the visual learners out there!

If you have any comments or questions, please feel free to post them….

Until next time.

Mark Jacob
Cisco and CompTIA Network + Instructor – Interface Technical Training
Phoenix, AZ

Videos You May Like

Using Navigation Controls in a Collaboration Site in SharePoint

0 13 0

In this SharePoint training video, I want to talk about the Navigation Controls in SharePoint. They tend to fall into two kind of different categories; one with the navigation controls in a typical Collaboration Site such as a Team Site or a Project Site. These are Sites that are based on the Team Site Template … Continue reading Using Navigation Controls in a Collaboration Site in SharePoint

JavaScript for C# Developers – September 24, 2014

0 50 0

In this video Dan Wahlin demonstrate the similarities and differences between C# and JavaScript and the future of JavaScript (ES6).

Detailed Forensic Investigation of Malware Infections – April 21, 2015

1 35 1

In this IT Security training video, Security expert Mike Danseglio (CISSP / CEH) will perform several malware investigations including rootkits, botnets, viruses, and browser toolbars.

Write a Comment

Share your thoughts...

Please fill out the comment form below to post a reply.