Capture Filters in Wireshark
Capture filters in Wireshark are a powerful feature that allow you to selectively capture network traffic based on specific criteria. By applying capture filters, you can focus your analysis on the most relevant data, reducing the amount of irrelevant information and improving the efficiency of your network troubleshooting and security monitoring.
Understanding Capture Filters
Capture filters in Wireshark are expressions that define the criteria for capturing network packets. These filters can be based on various parameters, such as:
- Source or destination IP address
- Source or destination port
- Protocol type (e.g., TCP, UDP, ICMP)
- Specific packet content or patterns
By using capture filters, you can narrow down the captured traffic to only the data that is relevant to your analysis, making it easier to identify and investigate network issues or potential security threats.
Applying Capture Filters in Wireshark
To apply a capture filter in Wireshark, follow these steps:
- Launch Wireshark on your Ubuntu 22.04 system.
- In the main Wireshark window, locate the "Filter" bar at the top.
- Click on the filter expression field and enter your desired capture filter.
- Press the "Apply" button to apply the filter and start capturing traffic that matches the specified criteria.
Here's an example of a capture filter that will capture only TCP traffic on port 80 (HTTP):
tcp.port == 80
You can also combine multiple criteria using logical operators, such as and
, or
, and not
. For instance, to capture only HTTP traffic from a specific IP address:
ip.src == 192.168.1.100 and tcp.port == 80
Capture Filter Syntax and Examples
Wireshark uses a specific syntax for defining capture filters. The syntax is based on the Berkeley Packet Filter (BPF) language, which is a widely used standard for network packet filtering.
Here are some common capture filter examples and their corresponding syntax:
Filter Description |
Capture Filter Syntax |
Capture all TCP traffic |
tcp |
Capture traffic to/from a specific IP address |
ip.addr == 192.168.1.100 |
Capture traffic on a specific port |
tcp.port == 80 |
Capture traffic between two IP addresses |
ip.addr == 192.168.1.100 and ip.addr == 192.168.1.101 |
Capture non-HTTP traffic |
not tcp.port == 80 |
Capture ICMP traffic |
icmp |
Remember, the capture filter syntax is case-sensitive, and you can find more information about the available filter options in the Wireshark documentation.