Wireshark - Capture Filters
1- Filters in Wireshark are of two types:
============================================
Capture Filters: These are the filters that you specify in order to be recorded. These filters are defined before the packet logging/capturing process is run.
Display Filters: These are the filters used to search within data/information recorded or captured by Wireshark. They can be used while Wireshark is recording packets.
2-First: Capture Filters :
===========================
The syntax for this type of filter is the same as that used by programs that rely on the Lipcap library...such as tcpdump...the filter must be placed before running the process of recording/capturing packets with Wireshark...any modification to these filters must restart the recording/capture process from The beginning...that is, you cannot modify them during the recording process, as in Display-type filters...
Now to start filtering of this type, click on Capture, then on Interfaces, and then choose Options for the interface you want to filter on what it records or captures...
Now in the field called capture filter, either write the filter you want to use, or press this same button and then create a filter with a new name so that you can reuse it in the future... For this reason, put in Filter Name the name of the filter you want to save it with, and put the filter you want to use in Filter String field... Then after you finish, click Ok and click Start to start the registration process...
Now the syntax for this type of filtering is as follows:
[protocol] [direction] [host(s)] [value] [logical operations] [other expression]
3- Second: Display Filters :
============================
This type of filter is used to search inside packets recorded by Capture Filter. The possibilities available for searching through this type are very high and large, exceeding what the first type of filters can do. Any modification to these filters does not require restarting the recording/capture process from the beginning...that is, you can add, delete and modify them during the recording process and not as in Capture-type filters...
