Tuesday 10 April 2012

Common capture filter expressions used in wireshark

In Wireshark we have two type of filters : display filters and capture filters.

Capture filters common filter strings are:

1) No Multicast traffic : "not multicast"

2) No Broadcast : "not broadcast"

3) only arp : "arp"

4) only ip : "ip"

5) port 550 : "port 550"

6) traffic to and from 10.0.0.1 : "host 10.0.0.1"

7) traffic from mac address 00:00:00:11:22:33: "ether host 00:00:00:11:22:33"

8) pppoe : "ether proto 0x8863 and  ether proto 0x8864"

9) source subnet 10.0 : src net 10.0

10) dns traffic ; "port 53"