Introduction
In this post, You will learn how to filter Wireshark packets, and it is one of the very important topics in Wireshark. So, Please pay attention and below is the video format of the post, check it out.
Wireshark Lesson 1 [Click here]
Wireshark Lesson 2 [Click here]
Wireshark Lesson 3 [Click here]
Wireshark Lesson 4 [Click here]
Wireshark Lesson 5 [Click here]
Video
How to filter packets in Wireshark ❓
It is really very simple to filter the packets in Wireshark, but you should know the difference between the capture filter and display filter.
Advertisement
Capture filter Vs Display filter
These are the two major types of filters in Wireshark, let’s deeply see what capture filter is and what is display filter.
Capture filter
Capture filter is filtering the packets that you specifically want to capture. For e.g.: While starting the Wireshark you say I need only ARP packets then you will see the ARP packets only and the is called pre-filter or capture filter.
Display filter
In-display filter you will be capturing all the packets in a network and once you have captured them we will do filtering is called post-filter or display filter.
Doing a capture filter
To do a capture filter, just open your Wireshark
On the search option, you can enter the specific packet you want to capture.
Le me say I want to capture port 53 that is DNS, So just enter port 53 and select the interface you want to capture, I am choosing the Wi-Fi.
In the below pic, you can see that we are capturing only the DNS, Your very well knew the DNS is in port 53.
For more information on capture filters, do watch the YouTube video.
Doing a display filter
You can see the display filter once you started to capture the packets.
For e.g.: If I type icmpv6, and then I will be seeing the results of icmpv6 only.
If you want to see the packets from a specific IP address, then just enter this command.
ip.addr eq 192.168.1.9
ip.addr == <IP address>
What if you don’t want to see a specific protocol, You can just enter the not command like this ????????
not arp
Now, I will be not seeing any arp protocols
If you want to remove multiple protocols then just enter the below command ????????
not (arp or tcp or ip)
String filter
In string filter, you can just enter the string of words and filter the packets.
For e.g.: I want to filter the Google name, So I don’t mind the packet is TCP or UDP I just want to see the packet that contains the name google.
frame contains google
Conclusion
In this post, we have seen how to filter the packets in two ways and I hope this blog post would help you a lot of just share it and check out the video format of the post.