We recommend that before configuring a capture filter, you will carefully design what you want to capture, and prepare your filter for this. Don't forget—what doesn't pass the filter, will be lost.
There are some Wireshark predefined filters that you can use, or you can configure it yourself as described in the next recipe.
For configuring capture filters before starting with the capture, go through the following steps:
The Wireshark: Capture Filter window enables you to configure filters according to Berkeley Packet Filter (BPF). After writing a filter string, you can click on the Compile BPF button, and the BPF compiler will check your syntax, and if it's wrong you will get an error message.
In addition to this, when you type a filter string in the capture filter text box, and the filter string is correct, it will become green, and if not, it will become red.
The BPF filter only checks if the syntax is right. It does not check if the condition is correct. For example, if you type the string host
without any parameter, you will get an error and the string will become red, but if you type host 192.168.1.1000
, it will pass and the window will become green.
BPF is a syntax coming from the paper The BSD Packet Filter: A New Architecture for User-level Packet Capture by Steven McCanne and Van Jacobson from the Lawrence Berkeley Laboratory at Berkeley University from December 1992. The document can be seen at: http://www.tcpdump.org/papers/bpf-usenix93.pdf.
Capture filters are made out of a string containing a filtering expression. This expression selects the packets which will be captured and which packets will be ignored. Filter expressions consist of one or more primitives. Primitives usually consist of an identifier (name or number) followed by one or more qualifiers. There are three different kinds of qualifiers:
host
for host name or address, net
for network, port
for TCP/UDP port, and so on.src
indicates source, dst
indicates destination, and so on.ether
for Ethernet, ip
for Internet Protocol, arp
for Address Resolution Protocol, and so on.Identifiers are the actual condition that we test. Identifier can be the address 10.0.0.1, port number 53, or network address 192.168.1 (this is an identifier for network 192.168.1.0/24).
For example, in the filter tcp dst port 135
, we have:
dst
is the dir qualifierport
is the type qualifiertcp
is the Proto qualifierYou can configure different capture filters on different interfaces:
This can be used when you capture traffic on two interfaces of a device, and want to check for different packets on the two sides.
The capture filters are stored in a file named cfilters
under the Wireshark directory. In this file you will find the predefined filters, along with the filters you have configured, and you will be able to copy the file to other computers. The location of this directory will change depending on how Wireshark is installed and on what platform.
tcpdump
program. You can find the reference at http://www.tcpdump.org/tcpdump_man.html.18.117.74.231