Location>code7788 >text

Wireshark filter types

Popularity:624 ℃/2025-03-19 21:07:04

 

Wireshark is a powerful network protocol analysis tool that supports multiple types of filters to help users capture and analyze network traffic.

According to usage scenarios and functions, Wireshark filters can be divided into the following two categories:

1. Capture Filter

  • Definition: A filter applied during the packet capture phase to limit which packets Wireshark captures.
  • Features:
    • Use the BPF (Berkeley Packet Filter) syntax.
    • Effective in real time during the capture process, reducing unnecessary packets being saved to memory or disk.
    • Higher performance and suitable for large-scale traffic environments.

 

  • Common usage:
host 192.168.1.1 # Capture all traffic related to 192.168.1.1
 port 80 # Capture traffic with port 80
 tcp and src 192.168.1.1 # Capture TCP traffic from 192.168.1.1

2. Display Filter

  • Definition: A filter used to filter and display a specific packet after packet capture is complete.
  • Features:
    • Use Wireshark custom syntax to be more flexible than capture filters.
    • Applied after the capture is completed, the actual captured data will not be affected.
    • Supports complex logical expressions and protocol field filtering.

 

  • Common usage:
== 192.168.1.1 # Show all traffic related to 192.168.1.1
  == 80 # Display TCP traffic with port 80
  == "GET" # Show HTTP GET request
  contains "google" # Show DNS queries containing "google"

Filter syntax comparison

Function Capture Filter (BPF) Display filter (Wireshark)
grammar BPF Wireshark custom syntax
Application time Packet capture phase After packet capture is completed
performance More efficient Inefficient
flexibility Lower higher
Example host 192.168.1.1 == 192.168.1.1

Commonly used filter examples

1. Capture filter example

  • Filter by IP address:
host 192.168.1.1
  • Filter by port:
port 80
  • Filter by protocol:
tcp udp icmp
  • Combination conditions:
tcp and src 192.168.1.1

2. Display filter example

  • Filter by IP address:
 == 192.168.1.1
  • Filter by port:
 == 80
  • Filter by protocol field:
 == "GET"  contains "google"
  • Combination conditions:
 == 192.168.1.1 &&  == 80

How to choose a filter?

  • If you need to reduce the amount of captured data: use a Capture filter.
  • If you need to flexibly analyze captured data: use Display Filter.

By using these two filters rationally, the efficiency and accuracy of network analysis can be significantly improved.

 

  • ChatAI Online
  • Transfer to pictures online
  • Image conversion Base64
  • Website technology stack detection
  • DeepSeek
  • Markdown Online

Link:/farwish/p/18781827

<Previous Next>