The display filter can be changed above the packet list as can be seen in this picture:Ĭapture only traffic to or from IP address 172.18.5.4: host 172.18.5.4Ĭapture traffic to or from a range of IP addresses: net 192.168.0.0/24Ĭapture traffic from a range of IP addresses: src net 192.168.0.0/24 In the main window, one can find the capture filter just above the interfaces list and in the interfaces dialog. Display filters on the other hand do not have this limitation and you can change them on the fly. The latter are used to hide some packets from the packet list.Ĭapture filters are set before starting a packet capture and cannot be modified during the capture. The former are much more limited and are used to reduce the size of a raw packet capture. This shows the importance of capture the filter.įor example, we hope to only grab communication between the 80 port, then the filter rule "Port 80" can be set.Capture filters (like tcp port 80) are not to be confused with display filters (like tcp.port = 80). The initial interface of the new Wireshark is very simple, mainly provided two features: first set the capture filter, then select the network card responsible for the capture. When processing a large amount of data, it is quite easy to use the capture filter. If you know that there is no need to analyze a type of traffic, you can simply use the capture filter to filter out it, thereby saving the processor resources that will be used to capture these packets.
The main reason for using capture filters is performance.
Have to be aware of is, The syntax used by these two filters is completely different.The capture filter will be introduced in this blog post.
A lot of data can often be caught in Wireshark, then we need to use filter filter to filter out our concern.Ĭapture filter: Set the filter condition before the package, then only grab the eligible packet.ĭisplay filter: Set filter conditions in the captured packet collection, hide the packets that do not want to display, only display the eligible packets.
0 kommentar(er)
