Whether you have done an analysis in real time while capturing traffic, or you have analyzed a pre-captured file, you're generally faced with a huge amount of data. How do you make sense of all this data? Most likely, you will benefit from filtering the traffic to narrow the scope. To achieve this, we use filters, so that Wireshark only displays the traffic that you want to see.

This chapter reviews the many ways Wireshark can filter traffic. To help your learning of the different ways to refine your view, we'll cover when to filter traffic and outline the difference between display and capture filters. So that you can refine your skills when filtering traffic, we'll review ways to create more complex filters by using the expression builder. We'll then go through capture filters and how they use syntax that is different than display filters. Finally, because filters are so handy, we'll cover some tricks, shortcuts, and common filters that will help you achieve a more effective analysis.

This chapter will address all of this by covering the following topics:

• Filtering network traffic
• Comprehending display filters
• Creating capture filters
• Understanding the expression builder
• Discovering shortcuts and handy filters