BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Wireshark is one of the top tools for troubleshooting network issues. It comes with many features and options that can help analyze data. However, on a busy network there can be so much traffic that it's simply impossible to scroll through gigabits of data to find issues with specific systems or protocols. This is where capture and display filters come into play.
Capture filters are used when you know in advance what you are looking for. They allow you to predefine the type of traffic captured. As an example, you could set a capture filter to capture only HTTP traffic. Display filters are used after the traffic is captured. Although you might have captured all types of traffic, you could apply a display filter to show only Address Resolution Protocol (ARP) packets if you think someone has attempted ARP cache poisoning. Regardless of the filter type you use, they allow you to ignore things that are not of interest.
Wireshark display and capture filters are slightly different. Wireshark display filters allow you to focus on things of interest and to ignore things you don't care about. They are applied in the Filter edit box near the top left of the Wireshark display window, just beneath the toolbar as shown in Figure 1. There is also a history option that allows you to select filters that you have already used in the past.
You can also use the Wireshark display filter dialog box to select a number of predefined filters or create new ones. This is an efficient way to access the most commonly used WireShark display filters for troubleshooting security issues and concerns.
Let's look at a few basic filters and discuss the effect of each:
ip.addr == 192.168.123.211
This filter displays the address I have specified as either the source or the destination address of every packet displayed.
Now, let's look at another IP address filter.
ip.src == 192.168.123.211
This Wireshark display filter shows only the packets that come from this specific address. You are not seeing things with that address as the destination. You could filter on ip.dst if you were just interested in things going to that address.
Now let's look at another.
“dns && ip.src == 192.168.123.211”
This filter will only display Domain Name System queries originating from the address specified. This provides a good example of the and rule. You can combine rules with the “&&” operator. Be careful to use two ampersands and not just one. In some cases, a single ampersand is valid and it will likely not yield the result you expect; it implies a logical and operation is to be performed.
Now, let's look at the not operator.
“! Ip.src == 192.168.123.211”
The exclamation mark is the not operator that causes negation of the expression -- sometimes referred to as a "bang." Now, change your Wireshark display filter to say:
ip.src != 192.168.123.211
Notice that the difference is subtle. The two filters are not equivalent. In the first, it means to begin by checking the IP source address to see if it is equal to the one provided then to negate that result. The second filter shows anything unless it comes from the address 184.108.40.206, which includes non-IPv4 traffic like ARP, Spanning Tree Protocol, and IPv6 as well.
In closing, what's most important to understand is that Wireshark simply collects the data, and it's up to you to understand and know what you are looking for and how to extract it. Constructing good Wireshark filters is half of the battle; the other half is understanding the underlying protocols so you know what to look for.
Key Wireshark features to know
How to write Wireshark network traffic filters
Working on packet analysis with Wireshark