Now we can take a look at display and capture filters now display filters are used when we have already captured some packets or are actively capturing packets. Now in this case we see a TCP communication stream with an HTTP server. So in this case let’s just go up to the filter and type in HTTP.
you may also like:
Wireshark display and capture filters
Now we’re going to say apply not much here as we know which is great. I’m going to clear that. We know that we can also add what’s called an expression and a more complex filter. Let’s click on that the expression builder comes up which allows us to add a more complex filter as you can see over in the middle panel. We have an equal not equal to greater than less than other variables we can add to build an expression. If we click over in the field name in the left hand side. Take a look down below you’ll watch it helps you search d n s.
Now it sort of knows I wanted to go to DNS. Now let’s expand this. Now we can see that with DNS we have some options as to exactly what type of field value we would like for example I would like to see a quad A record looking for an IP version 6 address I’m going to select that and you can see if it says equals it says exactly what IP version 6 address are you looking at. Another one will do is TCP now TCP again has a lot of options and we’re just going to expand this and now we can build an expression.
Display and capture filters
So for example I want to see which ones have the fin flags set I’m going to select DCP Flagstar fin and says equals and it is on. We’re going to say okay now we’re going to apply it once we have it in the filter area and now we can see only those that have the fin flags set are up there. Now we’re going to clear that okay so we can build an expression and yes we can add complex expressions as well. Now let’s look at some shortcuts. If I right click Transmission Control Protocol and expand I clicked on TCP. And now let’s take a look at the flags and just bring this up now. If I want only to add those that have the acknowledgement flags set I’m going to right click and I’m going to say prepare as a filter.
Now when I prepare as a filter it won’t run it. It simply puts it up in the display filter area. I’ll have to run it. But it’s so that I can modify it. We see there it says selected not selected and not selected. We’ll do that in just a minute. Let’s just say selected. So now it’s put it up there for me to run and I’m going to just drop this down. So we’ll see what happens. I only want those packets that have the acknowledgment set at 1:00 and won’t apply.
All right. I have some other stuff in there. Well I want maybe not to have the send flag so I know up here in the handshake. I have that sense like set I don’t want that. So let’s go here and we’re going to go to the send flag. Now I’m going to right click the filters already there. I’m going to say her pear is the filter and not selected. We’re going to put it up there but what I want to say is going to change that to a one. So what does that say. That says give me the traffic that has the acknowledgment flag set but not those that have the same flag set.
Now I’m going to apply it and that has taken that away. But look I have those that have the thin flag set. We’re going to take that away too. We’re going to the fan flag and I’m going to right click. And now let’s say prepared as a filter and not selected. And since it’s already said it won it will go up there and now that should take it away as well. And now we’ll say apply. And now all I have are those packets that have an acknowledgment flagged set. Now it’s clear that well what about those capture filters. We’re going to go to capture and then options.
Now let’s take a look in the center of this capture options dialog box you see capture filter capture filters are when you only want to capture a specific type of traffic such as our traffic or DNS when we simply can type our.
That would be fine. Remember if it turns green it’s good red it isn’t good. And you know is it might work or you can do this. Select captures filter and you can see that there’s already some pre done capture filters in there for you. Now for example I want not ARP and that filters string is available. TCP only. No broadcast or no multicast and it’s already set up I’ll say okay and I’m not going to run it because we’re not going to capture anything but we would put that in there and only traffic that was not broadcast or not multicast would be captured.
We’re going to just clear this off but keep in mind a couple of things. When you use the capture filter you’re only going to capture traffic. You’ve said you wanted to capture and nothing else so when troubleshooting that might cause a problem you might miss something plus the fact is a captures filter is a little more resource intensive in that you are filtering as you capture when to close this so you can see the different things in order what you can do to filter and display only types of traffic that you want to see when you’re using wireshark.
Latest posts by Hamza Arif (see all)
- What is RDP (Remote Desktop Protocol) & How RDP works - July 20, 2018
- Understanding SNMP & Install and configure SNMP - July 18, 2018
- Ping, Tracert, PathPing – Troubleshoot Network - July 17, 2018