Capture filter:
-should be used if you only want to save a small portion of the packets
-uses Berkeley Packet Filter syntax
-has different format than display filter
Configuration
-in order to configure a capture filter click on Capture->Options and set the Capture Filter
*** there is also a shortcut button on the main ribbon ( 2nd from the left)
-there is a list of predefined capture filters in Capture->Capture Filters
you can used those example in order to customize your own filters
***the predefined capture filters are saved on the following folder:
C:\Documents and Settings\<Your user>\Application Data\Wireshark\cfilters
Examples:
ether host 00:00:10:00:00:01
capture only traffic from MAC displayed
ether host 00:00:10:00:00:01 and port 80
capture all http traffic form MAC displayed
port 53
capture all DNS traffic. capture all TCP and UDP traffic to/from port 53
arp
all ARP packets
tcp port 110
capture pop traffic
*** cannot use pop instead of this
udp port 67
all DHCP packets
net 10.0.0.0/24
capture traffic only from the specific network range
tcp portrange 1501-1549
capture traffic from specified port range
tcp port 23 not src host 10.0.0.1
capture all telnet traffic not from 10.0.0.1
http://wiki.wireshark.org/CaptureFilters
http://biot.com/capstats/bpf.html
Wireshark University videos
No comments:
Post a Comment