What are the filters in Wireshark?

The answer to this question depends on how you use Wireshark.

By default, it has a range of default filters that will be applied whenever you view traffic on a network interface. These filters are designed to show things like IP addresses, MAC addresses, port numbers, protocols, and more. Filters can be a good way to start your Wireshark investigation, but to do more in-depth analysis you will need to dive into packet details, examine data, and create custom filters. In this chapter, you will learn the basics of Wireshark and how to use its different filters to find information about your network traffic.

This chapter covers the following topics: Filter Categories. The Wireshark filters are located in the Filters window. As you navigate the Filters window, you will find five filter categories: Network. Packet Statistics. Display Options. Protocols. Extensions. The Network category of filters is used to display the packet information, statistics, and protocol options for any active traffic that is being sent or received on your network interface. The packet statistics tell you how many bytes, packets, and protocol headers were in the packet. The display options allow you to change the color, background, and font used for displaying packet statistics and other important information. The Protocols filters list the protocol headers (like TCP, UDP, and ICMP) that were contained within the packet and how many bytes they used. Finally, the Extensions filters will allow you to see which optional protocols were used to encapsulate other protocols.

Understanding Filter Categories. To navigate the Filters window, click the arrow button in the upper-right corner of the screen. Then select Filter and from the Filter menu, select a specific filter category. If you select Network or Packet Statistics, the Filters window will display the selected filter category and show you the filters that are included in that category. When you select a specific filter, you can view the exact filters by clicking the Filter menu item in the lower-left corner of the screen and selecting Filters. Figure 16-1 shows the Filters window with two filter categories selected and displaying their filters.

Figure 16-1 Wireshark's Filters window showing a list of filters for each category.

How do I capture a filter in Wireshark?

I would like to capture a certain filter in Wireshark.

How can I do this? For example, if I have an IP address of 192.168.20, I want to capture traffic to and from that address. I don't need anything other than that IP address. How can I accomplish this?

If you want to limit the display to the packets which contains the source address 192.20: tcp.port == 22 If you want to limit the display to the packets which contains the destination address 192.port == 22 && ip.src == 192.20

To filter by port: tcp.20 && udp.port == 53
If you want to limit the display to packets that matches a specific protocol, eg TCP: tcp.20 && tcp.flags.SYN
For both protocols (TCP and UDP) you need to add the flag .FIN: tcp.SYN && tcp.