Wireshark mailing list archives

Re: Wireshark filters


From: Guy Harris <guy () alum mit edu>
Date: Wed, 28 Sep 2011 11:49:40 -0700


On Sep 27, 2011, at 5:02 AM, kevin creason wrote:

Capture filters are troublesome for at least four reasons:

        ...

They prevent packets from being captured either by exclusion of the filter or not being included in the filter.

I'm not sure what you mean by that - a filter expression, whether it's a capture filter expression or a display filter 
expression, is, in the general case, a collection of "this" items and "not that" items, ANDed or ORed together.  The 
"this" items select stuff you want to see (which I guess is "included in the filter"), and the "not that" items select 
stuff you don't want to see (which I guess is "[excluded by] the filter").

Once packets are not captured, you cannot see them.

That's not a bug, that's a feature. :-)

I.e., the whole *point* of a capture filter is to (reasonably) efficiently discard packets that you have deemed 
uninteresting, especially in situations where the capturing machine couldn't keep up with the full stream of packets if 
you didn't filter them out (so that you wouldn't be able to see all of them even *without* a capture filter).  If 
you're not in one of those situations, capture filters may be less useful, but even then, if you know what you care 
about, it means that, while the capture is in progress or after it stops, you don't then have to filter out, for 
example, various bits of broadcast and multicast noise on your network, or a steady stream of traffic to the file 
server containing your network home directory, or stuff such as that (both of which I've filtered out at work just to 
keep it out of my capture as early as possible).
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe


Current thread: