While in the course of your daily routine, the network starts to experience a significant slowdown. You check your Intrusion Detection System (IDS) and anti-malware protection, and there is no evidence of intrusion. At that point, you grab a quick capture to determine the source of the slowdown. Wireshark, along with many other packet analysis tools, has the ability to take a large capture, filter on specific traffic, and refine your view to help with analysis. Wireshark has several options to filter traffic:
- Display filters: Used during an active capture or on a pre-captured packet
- Capture filters: Applied prior to capture to only display a certain type of traffic
- Expressions: Creates complex filters using logical operators
When filtering traffic, there is a difference between display filters and capture filters. In the next section, let's explore the difference.