Wireshark Display & Capture Filters...
Used to filter out or select types of traffic, especially useful for large captures or captures with lots of traffic from many sources.
There are many, many filters, but here are the ones I use most commonly.
Used to filter out or select types of traffic, especially useful for large captures or captures with lots of traffic from many sources.
There are many, many filters, but here are the ones I use most commonly.
ip.addr==10.1.4.20 <-- Used to filter out all other frames except those that are from, or to, this IP
ip.addr==10.1.4.20 or ip.addr==10.1.6.2 <-- Used to filter out all traffic except anything from, or to, either of these IP's
ip.addr==10.1.4.20 and ip.addr==10.1.6.2 <-- Used to filter out all traffic except for frames between these two specific IP's
ip.src==10.1.4.20 <-- Used to filter out all traffic except frames coming FROM this IP
ip.dst==10.1.4.20 <-- Used to filter out all traffic except frames going TO this IP
tcp.ack <--shows all ACK frames
tcp.dstport==1720 <-- Used to show all traffic sent to a specific TCP port number (Port 1720 used in this example). Can also use upd.srcport for UDP filtering
eth.src == 0c:80:2a:33:a2:01 <-- Used to filter or capture all traffic with specific source MAC address (can be used with the "and" / "or" arguments)
eth.dst == 0c:80:2a:33:a2:01 <-- Used to filter or capture all traffic with specific destination MAC address (can be used with the "and" / "or" arguments)
eth.addr== 0c:80:2a:33:a2:01 <-- Used to filter or capture any traffic with the specified MAC, in either direction.
Add "!" in front of any of the filters about to turn the filter into a "not" filter.
ip.addr==10.1.4.20 or ip.addr==10.1.6.2 <-- Used to filter out all traffic except anything from, or to, either of these IP's
ip.addr==10.1.4.20 and ip.addr==10.1.6.2 <-- Used to filter out all traffic except for frames between these two specific IP's
ip.src==10.1.4.20 <-- Used to filter out all traffic except frames coming FROM this IP
ip.dst==10.1.4.20 <-- Used to filter out all traffic except frames going TO this IP
tcp.ack <--shows all ACK frames
tcp.dstport==1720 <-- Used to show all traffic sent to a specific TCP port number (Port 1720 used in this example). Can also use upd.srcport for UDP filtering
eth.src == 0c:80:2a:33:a2:01 <-- Used to filter or capture all traffic with specific source MAC address (can be used with the "and" / "or" arguments)
eth.dst == 0c:80:2a:33:a2:01 <-- Used to filter or capture all traffic with specific destination MAC address (can be used with the "and" / "or" arguments)
eth.addr== 0c:80:2a:33:a2:01 <-- Used to filter or capture any traffic with the specified MAC, in either direction.
Add "!" in front of any of the filters about to turn the filter into a "not" filter.