Wireshark capture filter

The filter is divided into a packet capture filter and a display filter. The packet capture filter discards packets that do not satisfy the filter condition, and only retains the packets that meet the conditions. The display filter filters the captured packets and filters them. A package that meets the conditions.

The display filter can retain all the reported data, which is convenient for later traffic analysis, while the packet capture filter retains limited data, and the later analysis has limitations.

First, the capture filter

Wireshark capture is based on its internal libpcap/wincap library

When you open the software, you can enter the filtering rules directly in the filter field. For example, wireshark2.6 is used as follows.


Capture --> Options

Wireshark_capture_filter_example_0.png

Wireshark_capture_filter_example_1.png

Using the BFP syntax (Berkeley Packet Filter), there are four elements:

  • Type
    • Host, net, port
  • Direction (Dir)
    • Src, dst
  • Agreement (Proto)
    • Ether, ip, tcp, udp, http, ftp
  • Logical Operators

    • &&

      versus

    • ||

      or

    • !

      non-

Example:

The source address is 192.168.1.1 and the destination port is 80.


src host 192.168.1.1 && dst port 80

Crawl traffic from 192.168.1.1 and 192.168.1.2


host 192.168.1.1 || host 192.168.1.2

Don’t grab broadcast packets


! broadcast

Filter mac address:


ether host 00:88:ca:86:f8:0d
ether src host 00:88:ca:86:f8:0d
ether dst host 00:88:ca:86:f8:0d

Filter IP address:


host 192.168.1.1
src host 192.168.1.1
dst host 192.168.1.1

Filter port:


port 80
!port 80
dst port 80
src port 80

Filtering protocol:


arp
icmp

Combined logical symbol filtering


host 192.168.1.1 && port 8080

Second, the display filter

To use the display filter, first capture the package with the software, then enter the filter rule in the software filter field:

Wireshark_capture_filter_example_2.png

Comparison character:


  • ==

    equal

  • !=

    not equal to

  • >

    more than the

  • <

    Less than

  • >=

    greater or equal to

  • <=

    Less than or equal to

Logical operators:

  • And both conditions are met simultaneously
  • Or one of the conditions is met
  • Xor has one and only one condition is met
  • Not no condition is met

Ip address:

  • Ip.addr ip address
  • Ip.src source ip
  • Ip.dst target ip

Port filtering:

  • Tcp.port
  • Tcp.srcport
  • Tcp.dstport
  • Tcp.flags.syn Filters packets containing syn requests from tcp
  • Tcp.flags.ack filters packets containing ack responses from tcp

Protocol filtering:

Arp, ip, icmp, udp, tcp, bootp, dns, etc.

Example:

Filter IP address:


ip.addr == 192.168.1.1   filter this ip
ip.src == 172.16.1.1  filter soure=ip

Filter port:


tcp.port == 80 
tcp.flags.syn == 1

Combine logic synthesis:


ip.src == 192.168.1.1 and ip.dst == 172.16.1.1