Capture Filters

Capture Pcap

Drop uninteresting traffic like a hot potato
2 min |  Ross Jacobs |  April 4, 2019

Table of Contents

Quicklinks: Wireshark Wiki | User Guide | pcap-filter manpage

Capture Filters

Capture filters are used to decrease the size of captures by filtering out packets before they are added. Capture filters are based on BPF syntax, which tcpdump also uses. As libpcap parses this syntax, many networking programs require it.

To specify a capture filter, use tshark -f "${filter}". For example, to capture pings or tcp traffic on port 80, use icmp or tcp port 80.

Example Capture Filter

To see how your capture filter is parsed, use dumpcap. Below is how ip is parsed.

Dumpcap adventure

If this intrigues you, capture filter deconstruction awaits.

Capture vs Display Filters

Wireshark uses two types of filters: Capture Filters and Display Filters. By comparison, display filters are more versatile, and can be used to select for expert infos that can be determined with a multipass analysis. For example, if you want to see all pings that didn’t get a response, tshark -r file.pcap -Y "icmp.resp_not_found" will do the job. Capture filters cannot be this intelligent because their keep/drop decision is based on a single pass.

Capture filters operate on raw packet bytes with no capture format bytes getting in the way. You cannot use them on an existing file or when reading from stdin for this reason.

Further Reading