What is Wireshark?
Wireshark is a networking packet capturing and analyzing tool. It is an open source tool. There are other networking tools but Wireshark is one of the strongest tools among them. Wireshark can be run in Windows, Linux, MAC etc operating system also.
How Wireshark looks like?
Here is the picture of Wireshark version 2.6.3 in Windows10. Wireshark GUI can be changed depending on Wireshark version.
Where to put filter in Wireshark?
Look at the marked place in Wireshark where you can put display filter.
How to put IP addresses Display filter in Wireshark?
There are different ways you can use display IP filter.
- Source IP address:
Suppose you are interested in packets from a particular source IP address. So you can use display filter as below.
Then you need to press enter or apply to get the effect of the display filter.
Check the below picture for scenario
- Destination IP address :
Suppose you are interested in packets which are destining to a particular IP address. So you can use display filter as below.
Then you need to press enter or apply to get the effect of the display filter.
Check the below picture for scenario
- Just IP address:
Suppose you are interested in packets which has particular IP address. That IP address is either Source or Destination IP address. So you can use display filter as below.
Then you need to press enter or apply [For some older Wireshark version] to get the effect of the display filter.
Check the below picture for scenario
So when you put filter as “ip.addr == 192.168.1.199” then Wireshark will display every packet where Source ip == 192.168.1.199 or Destination ip == 192.168.1.199.
In another way you write filter like below also
See below screenshot for above display filter
Note:
- Make sure the display filter background is green when you enter any filter otherwise the filter is invalid.
Here is screenshot of valid filter.
Here is the screenshot for invalid filter.
- You can do multiple IP filtering based on logical conditions [ || , && ]
OR condition:
AND condition:
How to put IP addresses capture filter in Wireshark?
Follow below screenshots to put capture filter in Wireshark
Note:
- Like display filter capture filter also considered as valid if background is green.
- Do remember display filters are different from capture filter in case of syntax.
Follow this link for valid capture filters
https://wiki.wireshark.org/CaptureFilters
What is relation between Capture filter and Display filter?
If capture filter is set and then Wireshark will capture those packets which matches with capture filter.
For example:
Capture filter is set as below and Wireshark is started.
After Wireshark is stopped we can see only packet from or destined 192.168.1.199 in whole capture. Wireshark did not capture any other packet whose source or destination ip is not 192.168.1.199. Now coming to display filter. Once capturing is completed, we can put display filters to filter out the packets we want to see at that movement.
In another way we can say, Suppose we are asked to buy two types of fruits apple and mango. So here capture filter is mangoes and apples. After you got mangoes [different types] and apples [green, red etc] with you, now you want to see only green apples from all apples. So here green apple is display filter. Now if I ask to you show me orange from the fruits, you cannot show as you did not buy oranges. If you would have bought all types of fruits [Means you would have not put any capture filter] you could have shown me oranges
