Wireshark: Difference between Capture filters and Display Filters

AAT Team — Wed, 04 Oct 2017 15:59:14 +0000

Wireshark is a network traffic analyzer that can be used to analyze network traffic. For more information, you can refer to Basic Tutorial on Wireshark.

Capture filters: This type of filter set before start capturing traffic in Wireshark. This type of filter can’t change while capturing traffic. It is generally used for capturing a specific type of traffic.

Example:

Capture only traffic to or from IP address 172.18.5.4:

host 172.18.5.4

Capture traffic to or from a range of IP addresses:

net 192.168.0.0/24

Display Filters: This type of filter is used to reduce the packets which are showing in Wireshark. This type of filter can be changed while capturing traffic. It is generally used for hiding traffic to analyze the specific type of traffic.

Example:

Show only SMTP (port 25) and ICMP traffic:

Display only traffic from port number 25 or ICMP packets

tcp.port eq 25 or ICMP

Display only traffic to or from IP address 192.168.0.87

ip.addr == 192.168.0.87

The post Wireshark: Difference between Capture filters and Display Filters first appeared on All About Testing.

Wireshark: Basic Tutorial

AAT Team — Wed, 04 Oct 2017 15:48:33 +0000

The Wireshark tool is used for analyzing protocols from your desktop. This tool sniffs traffic and provides GUI to analyze packets from the network. It supports major operating systems, including Windows, macOS, Linux, and UNIX. This tool is used by network professionals, security experts, developers, and educators to understand network protocols and analyze traffic in a network. It is available free on the official website as an open-source and is released under the GNU General Public License version 2.

tshark is a command-line tool available for users who like black screens. Remember, tshark is the CLI pendant of Wireshark.

It is a perfect example of disruptive technology in the field of networking. Disruptive technology refers to innovation in any field, and creating a new market, disrupts existing players in that field.

Download Link: https://www.wireshark.org/#download

Basic User Interface

Main features of Wireshark

Deep Packet Inspection of protocols
Live capture and offline analysis
Runs on Windows, Linux, OS X, Solaris, and many others (multi-platform)
Available in both GUI or command mode
Filters are available to separate protocols
Output can be exported to XML, PostScript, CSV, or plain text
Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, and many others
Capture files compressed with gzip can be decompressed on the fly
Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platform)
Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
Different coloring rules to identify problems

Conclusion

Wireshark is an awesome network analyzer that helps in understanding and analyzing network traffic. This tool is a one-stop solution to diagnose problems in a network. If you want to use a command-line equivalent tool for the same, use tshark.

tcpdump is another command-line tool for analyzing network protocols.

The post Wireshark: Basic Tutorial first appeared on All About Testing.

tutorial | All About Testing

Wireshark: Difference between Capture filters and Display Filters

Wireshark: Basic Tutorial

Basic User Interface

Main features of Wireshark

Conclusion