Hi, Is there any simple way to filter out normal traffic? In my case when I watch sports video stream for longer than 10 minutes, my computer freeze, the video freezes too. I want to analyze traffic captured at that time. But it's too much. I want to filter out the normal (e.g., anti malware etc.). If I try to do it by manually adding entries in dfilter it's becoming too lengthy.


There's no simple answer here, since it's impossible to define 'normal' traffic. What may be normal traffic in your situation may not be in another, and vice versa.

What you can do though is look into using capture filters instead of display filters. Even though their options aren't as extensive as display filters, they do keep unwanted traffic out of your capture files.

Thanks Jaap for the reply. I was wondering if there is already some script or program which studies traffic from/to a device and forms a "normal traffic" for that device. When we see a problem with that device we refer to the "normal traffic" and see the difference-- the difference may be traffic to/from unknown IPs or too much/less traffic to known IPs. May be I am thinking too far.

Baselining your network is what it's called. A very helpful technique to find anomalies. It requires a higher level view of your network, for which other type of (aggregation) tools come in play. Afterwards you drill down to the network packet level (with Wireshark for instance) to look at the details.

