Trying to do a just a basic filter and when I enter or add it the display remains highlighted in red Basically want to monitor a specific IP address. In older version I just went to toolbar, capture , options, and use "Host 172.16.10.202". Cannot see what has changed and why it would not accept.
There are two types of filters in Wireshark - capture filters and display filters.
Capture filters are implemented by the software that Wireshark uses to capture network traffic, namely the libpcap/WinPcap/Npcap library and the kernel-mode code they run on top of. This is the syntax that those libraries implement for filters; this describes the filter of current versions of libpcap - older versions may not support all those features, and WinPcap is built on an older version of libpcap that doesn't support all those features.
Those filters can be specified as a parameter when capturing network traffic in Wireshark.
Display filters are implemented by Wireshark; they can perform complex tests on any "named field" in any protocol supported by Wireshark. This is the syntax that Wireshark implements for filters; it is not the same syntax that libpcap/WinPcap/Npcap implements.
Those filters can be specified to control which of the captured packets that Wireshark has read in will be displayed.
The libpcap/WInPcap/Npcap syntax is older than Wireshark, even when Wireshark was still called Ethereal; it doesn't support the notion of arbitrary named fields, so it wasn't a syntax that could be used for Wireshark's filtering.
Whether host 172.16.10.202, which is a capture filter, or ip.addr == 172.16.10.202, which is a display filter, is accepted as a filter depends only on where you specify the filter. Capture filters can be specified in the "Enter a capture filter" box underneath "Capture" on the Wireshark main screen and in the "Capture filter for selected interfaces" box in the "Input" tab of the "Capture Options" dialog. Display filters can be specified in the "Apply a display filter" box at the top of the main window, below the toolbar.
Asked: 2018-06-01 16:47:04 +0000
Seen: 5,340 times
Last updated: Jun 01 '18
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
Have you selected an interface, and can you capture from it without a capture filter? The reason to check is that access to the interface is needed to determine the link layer type to properly interpret the capture filter expression.
Thank you for commenting! I had some help with another employee and found out that I was not running in administrator mode so it was not showing my Ethernet ports. Once we restarted in administrator mode I was able to find Ethernet port. I see that it no longer accepts Host 172.16.10.202 so I used "ip.addr == 172.16.10.202". Only see the traffic in on direction though. Now need to find out how to get both traffic to and from an IP address.
I was not running in administrator mode so it was not showing my Ethernet ports. Once we restarted in administrator mode I was able to find Ethernet port. I see that it no longer accepts Host 172.16.10.202 so I used "ip.addr == 172.16.10.202". Just need to find out how to get traffic in both directions.