Capture Filters
Table of Contents
Quicklinks: Wireshark Wiki | User Guide | pcap-filter manpage
Capture Filters
Capture filters are used to decrease the size of captures by filtering out packets before they are added. Capture filters are based on BPF syntax, which tcpdump also uses. As libpcap parses this syntax, many networking programs require it.
To specify a capture filter, use tshark -f "${filter}". For example, to capture pings or tcp traffic on port 80, use icmp or tcp port 80.
To see how your capture filter is parsed, use dumpcap. Below is how ip is parsed.
If this intrigues you, capture filter deconstruction awaits.
Capture vs Display Filters
Wireshark uses two types of filters: Capture Filters and Display Filters. By comparison, display filters are more versatile, and can be used to
select for expert infos that can be determined with a multipass analysis. For
example, if you want to see all pings that didn’t get a response,
tshark -r file.pcap -Y "icmp.resp_not_found" will do the job.
Capture filters cannot be this intelligent because their keep/drop decision is based on a single pass.
Capture filters operate on raw packet bytes with no capture format bytes getting in the way. You cannot use them on an existing file or when reading from stdin for this reason.