From the course: Wireshark Essential Training
Using display and capture filters - Wireshark Tutorial
From the course: Wireshark Essential Training
Using display and capture filters
- [Instructor] While you're working with Wireshark, you can use capture and display filters. A capture filter is applied prior to capture and will only capture what you filter, nothing else. A display filter is used during an active capture or even on a precaptured packet. One important thing to know is that they are different. And also when you're working with display filters, there are shortcuts for those display filters where you can simply right click, and I'll do that during demonstrations and show you how to easily get and apply a filter. So let's take a look at the interface here. And I want to just show you one important thing, and why they're different is because this comes from the capture engine and the display filter is within the Wireshark and the dissectors and the decodes. So if I go up to the display filter, and well, say, for example, I want to just display ftp traffic. Now, I'll just type ftp, and it does come up with some choices, but if it just is ftp, I'll leave it at that. Now, while I was typing that, I think you notice something, it's red. Now, what happens in Wireshark is it's trying to help you. If it's red, it means it won't work. Green means it's good, and yellow means go ahead and try it. It might work, it might not work. The other thing is when I start typing, if I were to type a capital FTP, it won't work. It never has, and it may work at some point, but at this point, a capital letter on the left-hand side won't work. Now I can type ftp and just select that, and I would be able to capture ftp data. But while I'm using it in a display filter, I'll also capture other types of traffic. All right, so I'll take that off, and I want to just show you something down below here. We'll say, for example, if I'm only interested in capturing ftp traffic, nothing else. All right, and let's just type ftp. Hmm, doesn't work. Well again, that's because they're different. Now, on this little green mark right here, let's just click on here. I just want to show you that there are some samples in here that you can use in order for you to create a capture filter. Now, if we look at the way it's structured, you can see that there are different protocols, different ports. What I'm going to show you is I'm going to type TCP. Still doesn't like it, so let's type tcp port 21. Now, that's an ftp port. All right, so as you can see, I simply put port 21, which is associated with ftp. And now I'll go to an open ftp site just so we can see what we get when we capture that traffic. And I'll double click on my wifi and begin capturing, and I'll select one of the captures. And in here, this is a huge capture filter, and then I'll stop that. All right, and so now you see, all I have is ftp traffic. The traffic is no longer coming in, and now we take a look. There's nothing else. So if I need to do some troubleshooting, let's see. I'll go to Statistics and a Flow Graph. There's the ftp traffic, nothing else. All right, now I'm going to close this, continue without saving, and I'm going to take that off so you really don't want to keep that capture filter on there because it's not going to do us any good because it will limit anything else I try to capture. Once you have cleared out the capture filter, you might also want to reboot just to get out any remaining filters in your interface so that that doesn't disrupt what you're going to do moving forward.
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.