filter packets wireshark

Filtering traffic in Wireshark | Lesson 4 | [update 2024]

By /

Introduction

In this post, You will learn how to filter Wireshark packets, and it is one of the very important topics in Wireshark. So, Please pay attention and below is the video format of the post, check it out.

Wireshark Lesson 1 [Click here]

Wireshark Lesson 2 [Click here]

Wireshark Lesson 3 [Click here]

Wireshark Lesson 4 [Click here]

Wireshark Lesson 5 [Click here]

Video

How to filter packets in Wireshark ❓

It is really very simple to filter the packets in Wireshark, but you should know the difference between the capture filter and display filter.

Advertisement

Capture filter Vs Display filter

These are the two major types of filters in Wireshark, let’s deeply see what capture filter is and what is display filter.

Capture filter

Capture filter is filtering the packets that you specifically want to capture. For e.g.: While starting the Wireshark you say I need only ARP packets then you will see the ARP packets only and the is called pre-filter or capture filter.

Display filter

In-display filter you will be capturing all the packets in a network and once you have captured them we will do filtering is called post-filter or display filter.

Doing a capture filter

To do a capture filter, just open your Wireshark

On the search option, you can enter the specific packet you want to capture.

Le me say I want to capture port 53 that is DNS, So just enter port 53 and select the interface you want to capture, I am choosing the Wi-Fi.

In the below pic, you can see that we are capturing only the DNS, Your very well knew the DNS is in port 53.

For more information on capture filters, do watch the YouTube video.

Doing a display filter

You can see the display filter once you started to capture the packets.

For e.g.: If I type icmpv6, and then I will be seeing the results of icmpv6 only.

If you want to see the packets from a specific IP address, then just enter this command.

ip.addr eq 192.168.1.9

ip.addr == <IP address>

What if you don’t want to see a specific protocol, You can just enter the not command like this ????????

not arp

Now, I will be not seeing any arp protocols

If you want to remove multiple protocols then just enter the below command ????????

not (arp or tcp or ip)

String filter

In string filter, you can just enter the string of words and filter the packets.

For e.g.: I want to filter the Google name, So I don’t mind the packet is TCP or UDP I just want to see the packet that contains the name google.

frame contains google

Conclusion

In this post, we have seen how to filter the packets in two ways and I hope this blog post would help you a lot of just share it and check out the video format of the post.

Related Posts

Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions or brave browser to block ads. Please support us by disabling these ads blocker.Our website is made possible by displaying Ads hope you whitelist our site. We use very minimal Ads in our site

 

Scroll to Top