Author Profile - Ray Tompkins is the Founder and CEO of Gearbit. Ray is a Senior Network Specialist with over 28 years experience in troubleshooting, design, and implementation. His background includes 911 emergency consulting, and identifying the root cause of critical network problems. His knowledge of network protocols (LAN, VoIP, WAN and WLAN) and how they work within the enterprise networks are the key in providing customer service though knowledge transfer and education.
In this month's issue of Under-the-Hood, we’re continuing the discussion about the importance of filtering when using Wireshark. If you missed part 1 of the discussion, you can find the article “Under the Hood: Capture Filters, Display Filters” on the LoveMyTool website.
One way to improve and organize your Display Filters is to rearrange them into groups. Or better yet, visit gearbit.com for a pre-prepared list. At gearbit, we think like a network analyst, so we've compiled a list of capture filters and organized them by category. All you will need to do is copy the cfilter file containing the 150 filters that are organized by topic.
The compiled cfilters file has various types of filters that can be edited as you use them to meet most of your capture needs. If you find yourself adding additional filters, just follow the instructions listed that will show you how to create and organize your own filters.
The Capture Filters are found in the cfilters file located under C:\Documents and Settings\Administrator\Application Data\Wireshark [see Figure 1.1 Wireshark Capture Filter File Location]. Remember that the file folder “Administrator” may change according to how you have your logon setup. You can open the cfilters file in notepad for editing.
I like to rename the existing file so that I have a backup. The original file supplied with Wireshark doesn’t contain any type of format. We have found that by adding a few tabs to offset the filters from the Headers it gives the capture filters a whole new look, making the filters easier to find [see Figure 1.2 Wireshark cfilters File Format]. Adding categories also helps keep similar filters together.
The cfilters file at the gearbit web site provides a combination of Capture Filters that have been accumulated from several sources. By scouring various websites over several years we have compiled a master list which we then ran through a group of network experts for edits and additional input.. Additionally, network analysts like you continue to send us your favorite filters.. The list now contains more than 150 filters. If you have capture filters that you would like to contribute, please send them to tech08 at "@" gearbit.com.
Figure 1.1 Wireshark Capture Filter File Location
The cfilter file can be edited, first organized into groups by Theme. To make the filters easier to see apply a Tab offsetting the test. All of the text needs to be contained in quotes. The Theme Titles needs to also have the word HEADER placed in the title.
Figure 1.2 Wireshark cfilters File Format
Recent Comments