Tuesday 10 April 2012

Types of Wireshark filters and common filters for wireshark

In Wireshark we have two types of filters

1) Display filter which is the main filter in Wireshark Window and can be seen below:

2) Capture filter -> which we can get in options

In options we can see the capture filter

The syntax for each type of filter is different and one filter string may not work for another.

In Capture filter, before starting the capture the filter string is defined and is used only to capture those packets which are matching with the filter.

In Display filter the filter string only apply the filter and show the results, but it will capture all type of packets.

For common types of filter expression, i have made separate posts please go through them.

Which type of filter we should use ?

Well, i have seen many people using only display filters.There could be different reasons like people are not aware of capture filters or as it capture only specific packets the filter should be proper.

My say : Use capture filter if you know which traffic you want to analyze as it saves time and is not cluttered.