CES 2011: AED 4 TGR (by Paul W. Smith)
Assessing Risk and Uncertainty for Optimal IT Service Delivery (by Brad Reinboldt)

Wireshark Quick Tip: Setting a Capture Filter (by Chris Greer)

 

Quick tips

 

Have you ever had to dig through huge trace files looking for traffic from just one address? Sure, it’s a piece of cake to set a display filter and look for the device that way, but in some situations, it’s just easier to set a capture filter from the get-go. A capture filter is a filter that is set in Wireshark before the capture has begun. It allows only traffic that meets the filter to be allowed into the capture buffer. They are easy to set, but very easy to over-look. Sometimes the best use of a capture filter is to capture everything except a certain protocol or address.

Before going much further into this topic, I’d like to stress that at the beginning of any application analysis, I’m not a huge fan of capture filters, just because you may inadvertently filter out traffic that would otherwise help to solve a problem by setting a capture filter. For example, what if a filter was set just for a certain IP address, when in reality, that address or station had nothing to do with the underlying problem. So be careful only to set capture filters for traffic that you are sure you isolate and capture.

How to set a quick capture filter

After starting Wireshark, click on Capture Options from the startup window.

Capture options

This will bring up the Wireshark Capture Options window. Make sure at the top of the window that the correct interface has been selected for capture. At the middle of the window is where a capture filter definition can be entered and applied.

Capture filter bar

Here a capture filter can be set for a protocol, conversation, IP address, or just about anything else. Most commonly a capture filter is set for an address or protocol. Keep in mind that the display filter syntax and capture filter syntax in Wireshark is different. Here are some common capture filter definitions.

host 10.0.0.100

tcp port http

not arp and not icmp

The ‘not’ filter for arp and icmp is a great filter to keep in mind when capturing in an environment where these protocols are common, but healthy. Keep that one in your back pocket.

Don’t forget to remove a capture filter when you are done with it! Otherwise you may be capturing in a different environment with a pre-configured capture filter that will not help the current situation. Thanks for reading this month’s quick tip!

 

Continue reading other LoveMyTool posts by Chris Greer »

Chris_greerPacket Pioneer Logo Author Profile - Chris Greer is a Network Analyst for Packet Pioneer. Chris has many years of experience in analyzing and troubleshooting networks. He regularly assists companies in tracking down the source of network and application performance problems using a variety of protocol analysis and monitoring tools including Wireshark. When he isn’t hunting down problems at the packet level, he can be found teaching various analysis workshops at Interop and other industry trade shows. Chris also delivers training and develops technical content for several analysis vendors.

Chris can be contacted at chris (at) packetpioneer (dot) com. 

 

Comments