Wireshark: Display filter vs Capture filter
Wireshark: Display filter vs Capture filter
In a perfect world, there would be no need to monitor network traffic looking for interlopers. Since we don’t live in a perfect world, I wanted to demonstrate a little piece of the freely downloadable network packet sniffer called Wireshark. When running a full-bore packet capture session, you may find that data are accumulating quite rapidly and likely you are obtaining much more than you want to look at. In cases like this, filtering is a must. Today I will discuss two ways to filter in Wireshark: display filter and capture filter.
Don’t get me wrong – Wireshark is well documented. I just want to show the difference in a more visual way, ‘cause some people learn better that way! For my screenshots, I will be using what is (at the time of this writing) the latest version, which is 1.12.3. Let us begin.
The first type of filter we will discuss is the capture filter. The type of filter controls what type of traffic is captured, and disregards all non-matching traffic. It is easily accessed by clicking the icon at the top left of the main window. It is shown in figure 1:
Once you click that, you will see (with some of the window omitted) what is shown in figure 2:
If you already know your filter topic, you can just type in the area noted by the red box. Or you can select the Capture Filter button and choose from the precompiled list. You can also edit the existing Capture Filter choices when clicking that button. Selections and editing appearance is shown in figure 3:
As an example, I have created a filter called My machine. It watches for traffic containing the IP address of the machine on which I created this blog, which is 10.1.10.129. Let see what happens when I apply this filter and then ping 184.108.40.206:
As you can see, my capture ONLY includes traffic from or to the specified IP address. Then I don’t have to look at all the other traffic happening on the machine I am using to run Wireshark. Depending on the network, this could be a substantial amount of traffic!
The other type of filter I will discuss is the display filter. The control what is seen from an EXISTING packet capture, but does not influence WHAT traffic is actually captured. It is accessed as shown in figure 5:
In the filter box, you can just type what you want to filter, or, if you don’t know it by heart, click the Expression button and select from the existing list of available filters. Figure 6 shows, for example, some of the IPv4 display filters:
Let’s choose a source address of my host machine again. I already have a capture running. let’s see what it looks like before applying the filter:
Notice I have traffic from all sorts of source IP addresses. Now to apply the filter:
This is a very cool way to reduce the amount of information that must be perused for a network administrator to narrow down the cause of an issue or the location of an intruder. Let the machine filter what you don’t want and closely examine the rest. As I mentioned previously, Wireshark is well-documented. I hope that visual screenshots have assisted the visual learners out there!
If you have any comments or questions, please feel free to post them….
Until next time.
You May Also Like
Mark Jacob, Cisco Instructor, presents an introduction to Cisco Modeling Labs 2.0 or CML2.0, an upgrade to Cisco’s VIRL Personal Edition. Mark demonstrates Terminal Emulator access to console, as well as console access from within the CML2.0 product. Hello, I’m Mark Jacob, a Cisco Instructor and Network Instructor at Interface Technical Training. I’ve been using … Continue reading A Simple Introduction to Cisco CML2
In this video, you will gain an understanding of Agile and Scrum Master Certification terminologies and concepts to help you make better decisions in your Project Management capabilities. Whether you’re a developer looking to obtain an Agile or Scrum Master Certification, or you’re a Project Manager/Product Owner who is attempting to get your product or … Continue reading Agile Methodology in Project Management
In this recorded Windows 10 webinar from December 1,2015, Windows Instructor Steve Fullmer presents the navigation and some of the new features associated with Windows 10 including Sysinternals Tools for Windows Client, Windows core concepts, exploring Process Explorer as well as some of the features that are not yet ready for prime time but will … Continue reading Windows 10 Features and Navigation – December 1, 2015