Follow the instructions in the Configuring capture filters recipe and configure filters as follows:
- To capture packets to port 80 (HTTP), configure dst port 80 or dst port http
- To capture packets to or from port 5060 (SIP), configure port 5060
- To capture all TCP packets that starts a connection (all packets with syn=1), configure tcp-syn != 0
- To capture the start (syn flag) and end (fin flag) packets of all TCP connections, configure tcp[tcpflags] & (tcp-syn|tcp-fin) != 0
In tcp[tcpflags] & (tcp-syn|tcp-fin) != 0, it is important to note that this is a bitwise AND operation, not a logical AND operation. For example, 010 or 101 equals 111, and not 000.
- To capture all TCP packets with the rst (reset) flag set to 1, configure tcp[tcpflags] & (tcp-rst) != 0
- Length filters are configured in the following way:
- less <length>: Captures only packets with a length less than or equal to the length identifier. This is equivalent to len <= <length>.
- greater <length>: Captures only packets with a length greater than or equal to the length identifier. This is equivalent to <len >= length>.
For example:
- tcp portrange 2000-2500
- udp portrange 5000-6000
Port range filters can be used for protocols that work for a range of ports rather than specific ones.