How do I use filters in Wireshark?

What are the different filters for Wireshark?

Filters are used for different purposes, such as to capture packets for further examination, to filter by protocol type, or to filter by source and destination addresses.

A variety of filter options are available for various combinations of the following: Capturing packets: Filter options include "capture interfaces only", "capture packets from host X", and "capture packets including protocols Y and Z". For example, "capture interface wlan1" captures packets sent by wireless device X to the AP in room X123.

Protocol types: Filters can capture packets of a specific protocol or protocol type, as well as packets that have a specific protocol type but contain other data. For example, "capture protocol tcp" captures TCP packets.

Source and destination: Filters can capture traffic whose source and destination are known. Source and destination pairs: Capturing IPv4 and IPv6 traffic is made easier when you use source and destination IP addresses, but it's also easier to view when you filter on IP addresses in conjunction with other types of filtering. For example, "capture source 192.168.100 and destination 10.10" captures packets going from 192.100 to 10. Wireshark makes this easy.

Source and destination pairs with a certain type of traffic: You can easily examine the traffic going from your local computer (source) to the Internet (destination), without having to use two filters for each direction of the traffic. You can use either one filter or multiple filters for each side of the traffic, such as "capture source 192.10 and protocol udp", which captures packets destined for 10.10 on UDP.

Filtering based on the traffic direction: Capture packets coming into your computer (destination), or going out of your computer (source). For example, "capture destination 10.10 and protocol tcp and not dst port 22" captures packets that will be sent out of your computer on TCP to port 22 on your destination computer.

Filtering by port number: Many networks require authentication, authorization, accounting, or other policies based on the applications being used.

How do I capture a filter in Wireshark?

I've used Wireshark on a couple of different machines over the past few months.

I've gotten the hang of how to capture packets from the machine, and I can even get output from various tools like tcpdump and ethereal (which is useful when I have a particular packet I want to see in Wireshark). But I'm trying to get some information into Wireshark, and I don't know how to capture filters and parameters.

For example, when I was running a scan against my network, I found a TCP stream with a SYN flag set, which I wanted to capture. The way I would normally do this is with: tcpdump -i eth0 -s0 -vvv -n port 8080. Which should give me the SYN flag, and the port 8080. And I would then open up Wireshark, and go to File->Open capture. However, this doesn't work for filters. It opens the file and shows the packet, but there are no options for capturing the SYN flag.

Is there a way to get this information into Wireshark? I'd like to be able to capture more complex things like this, and also capture network-wide information. It turns out that you can get this information through tcpdump, which has an option to capture flags. I started tcpdump with the following: tcpdump -n -w tcpdump.pcap -i eth0 -s 0 -w - 551674 IP 192.168.15873 > 192.551706 IP 192.8080 > 192.

How do you define a filter in Wireshark?

This question may be a bit too broad, but I'm curious to know the broad outlines of how you define a filter in Wireshark.

I'm aware of "capture on interface" filters, but I'd like to know what other filters are out there, such as capturing all UDP traffic on a specific port. Is it simply "port number?" "source address range?" "source port range?" What else is there?

To capture all incoming UDP traffic to a specific port you could do something like this: eth0 -> ip-in -> udp:portnumber -> filter. That would capture only traffic on that port.

What are the filters in Wireshark?

And what's the difference between a filter and a regexp?

In my readings, I see that the two things are the same in terms of usage, except for one small difference: regexps are case-sensitive, where filters aren't. Wireshark makes no mention of this other than one little section towards the end of "Network Layers":

Filters. The Wireshark filter engine uses various filters and regular expressions to. represent network interfaces. Filters are case-sensitive, but regular expressions are not. Filters can use information from multiple packets, whereas regular expressions use only a single. packet for matching. It's really that difference that has been driving me nuts, and I'm hoping someone here can give me answer on the matter! So far my reading has left me a bit uncertain as to why there would be a difference between the two. Here is the filter for a particular interface (eth0) and some example records for it: (source: tiaocode.org) And here are the results that happen when I run tcpdump -i eth0 on it. I've already had a look at the capture and determined that it is working correctly, and so I don't think that's the issue, since I'm pretty certain that Wireshark can handle that kind of input just fine. Again, here's my sample output:
# tcpdump -ni eth0. Tcpdump: WARNING: Capture file is large. May take some time.

Tcpdump: eth0: Starting sniffing on tap0 with 145528 bytes of data. Tcpdump: eth0: no Ethernet hardware detected, if you know what you're doing. SNIP .

27:38.10.12.2523 > 127.0)

How do I filter by IP address and port in Wireshark?

I need to filter packets by IP address and port, but I have no idea how to do it.

You can't. You'd have to write your own filter to do that.

Wireshark has a built-in filter called "TCP flag," which you can use to see only TCP packets. You can also create a custom filter to see only UDP and ICMP packets, but there's no way to select from a list of IP addresses or ports (it would be useful if you're working with an external tool that's filtering packets).

Related Answers

How to analyse Wireshark traffic?

What is the difference between Protocol and Application? How do I f...

What is filter protocol?

You can configure filters in Wireshark. In this post we'll go ov...

Is there a Wireshark for Mac?

(I'm on OS X 10.6.8) After using it for a while, now my question is no...