A Wireshark capture filter doesn’t just reduce traffic; it actively ignores traffic before it even hits Wireshark’s display filter, saving your system memory and CPU.
Let’s see this in action. Imagine you’re troubleshooting a specific web server at 192.168.1.100 on your local network. You want to see only the HTTP (port 80) and HTTPS (port 443) traffic going to or from this machine.
First, fire up Wireshark, go to the capture interfaces, and in the "Capture Filter" box (usually near the top), you’d type:
host 192.168.1.100 and (port 80 or port 443)
Now, start your capture. As you browse to http://192.168.1.100 or https://192.168.1.100 from another machine, or even if 192.168.1.100 is making requests, you’ll see only packets where either the source or destination IP address is 192.168.1.100 AND the source or destination port is either 80 or 443. You won’t see ARP requests, DNS lookups, or traffic to any other machine, even if it’s on the same network segment.
This filter uses Berkeley Packet Filter (BPF) syntax, the language Wireshark (and tcpdump) uses for its capture filters. The core idea is to define rules that the kernel’s packet capture library can evaluate extremely efficiently.
The fundamental building blocks are primitives: a number, a name, or certain special operators, followed by one or more qualifiers. Qualifiers specify the type of a primitive and its direction.
Common primitives include:
host: Matches a specific IP address.net: Matches an entire network.port: Matches a specific port number.proto: Matches a specific protocol (e.g.,tcp,udp,icmp,arp).
Qualifiers refine these primitives:
src: Matches if the primitive is in the source field.dst: Matches if the primitive is in the destination field.ip: Qualifies a primitive to be only IPv4.arp: Qualifies a primitive to be only ARP.
Combining these creates powerful filters. To see all traffic originating from 192.168.1.100, you’d use src host 192.168.1.100. To see all traffic destined for port 53 (DNS), you’d use dst port 53.
You can combine primitives using logical operators:
and(or&&): Both conditions must be true.or(or||): Either condition can be true.not(or!): Negates the following condition.
Parentheses () are used to group expressions, just like in mathematics, and are essential for controlling the order of operations. For example, host 192.168.1.100 and port 80 or port 443 would actually mean "traffic to or from 192.168.1.100 AND port 80, OR any traffic on port 443." This is probably not what you want. The correct way, as shown earlier, is host 192.168.1.100 and (port 80 or port 443).
Let’s break down another common scenario: troubleshooting a slow connection to a remote server, say example.com (which resolves to 93.184.216.34) over SSH (port 22). You want to capture only TCP traffic to or from this server on port 22.
The filter would be: tcp and host 93.184.216.34 and port 22
This filter specifies three conditions that must all be met: the protocol must be TCP, the source or destination IP must be 93.184.216.34, and the source or destination port must be 22.
If you wanted to see only traffic from your machine (192.168.1.50) to that server, you’d refine it: tcp and src host 192.168.1.50 and dst host 93.184.216.34 and dst port 22.
It’s crucial to understand that capture filters are applied before the packets are passed to Wireshark’s display filter engine. This means that if you apply a capture filter, Wireshark will never even see the packets that the capture filter discards. This is a significant performance advantage, especially on busy networks.
One common pitfall is using display filter syntax in the capture filter box. For instance, ip.addr == 192.168.1.100 is a valid Wireshark display filter, but it will not work as a capture filter. Capture filters use the BPF syntax.
The final thing to remember is that the BPF syntax is evaluated left-to-right, but precedence rules (defined by the operators and, or, not and parentheses) dictate the actual order of evaluation. not has the highest precedence, followed by and, then or. This is why host 192.168.1.100 and not port 22 will correctly show all traffic to/from 192.168.1.100 except for traffic on port 22.
Once you’ve mastered these basic filters, you’ll be ready to explore more complex filtering scenarios, like excluding specific protocols or capturing traffic based on VLAN tags.