rootninja

Capture filters are completely different than display filters, and for some reason it’s not immediately evident when you’re in Wireshark to understand what the syntax is for capture filters.

Display filters are pretty simple. Here’s some examples:

Display filter examples

Display traffic from IP address 192.168.1.2
ip.src eq 192.168.1.2

Display all snmp traffic and any traffic to 10.1.1.1
snmp or ip.dst == 10.1.1.1

Display ssh and http traffic
ssh or http

Display ipv6 traffic to or from localhost
ipv6.addr == ::1

Display traffic to a specific hardware address
eth.dst == ff:ff:ff:ff:ff:ff

Capture filters don’t follow these rules at all. But if you’re familiar with tcpdump, then you already know how to limit the capture with filters. It’s the same rules!

Here’s some packet capture examples taken from the Wireshark wiki:

Capture filter examples

Capture only traffic to or from IP address 172.18.5.4:
host 172.18.5.4

Capture traffic to or from a range of IP addresses:
net 192.168.0.0 mask 255.255.255.0

Capture traffic from a range of IP addresses:
src net 192.168.0.0 mask 255.255.255.0

Capture traffic to a range of IP addresses:
dst net 192.168.0.0/24

Capture only DNS traffic:
port 53

Capture Primitives

[src|dst] host
This primitive allows you to filter on a host IP address or name. You can optionally precede the primitive with the keyword src|dst to specify that you are only interested in source or destination addresses. If these are not present, packets where the specified address appears as either the source or the destination address will be selected.

ether [src|dst] host
This primitive allows you to filter on Ethernet host addresses. You can optionally include the keyword src|dst between the keywords ether and host to specify that you are only interested in source or destination addresses. If these are not present, packets where the specified address appears in either the source or destination address will be selected.

gateway host
This primitive allows you to filter on packets that used host as a gateway. That is, where the Ethernet source or destination was host but neither the source nor destination IP address was host.

[src|dst] net [{mask }|{len }]
This primitive allows you to filter on network numbers. You can optionally precede this primitive with the keyword src|dst to specify that you are only interested in a source or destination network. If neither of these are present, packets will be selected that have the specified network in either the source or destination address. In addition, you can specify either the netmask or the CIDR prefix for the network if they are different from your own.

[tcp|udp] [src|dst] port This primitive allows you to filter on TCP and UDP port numbers. You can optionally precede this primitive with the keywords src|dst and tcp|udp which allow you to specify that you are only interested in source or destination ports and TCP or UDP packets respectively. The keywords tcp|udp must appear before src|dst.

If these are not specified, packets will be selected for both the TCP and UDP protocols and when the specified address appears in either the source or destination port field.

less|greater
This primitive allows you to filter on packets whose length was less than or equal to the specified length, or greater than or equal to the specified length, respectively.

ip|ether proto This primitive allows you to filter on the specified protocol at either the Ethernet layer or the IP layer.

ether|ip broadcast|multicast
This primitive allows you to filter on either Ethernet or IP broadcasts or multicasts.