This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Filter on HW Level

0

I'm using Wireshark for my project and i need support to filter packets from HW level. Basically, i'm getting lot of packets and i would like to filter some useless packets captured on my interface. Could you please give me a hand?

Thanks/ Alexis

asked 30 Apr '12, 07:39

Alexis's gravatar image

Alexis
6114
accept rate: 0%

edited 30 Apr '12, 07:42


2 Answers:

1

as already mentioned, please use cpature filters: http://wiki.wireshark.org/CaptureFilters

To give you just some idea:

port 443 -> filter on TCP/UDP port 443
host 1.1.1.1 -> filter on IP addr 1.1.1.

Some "lower level" filter

not proto 6 -> dont't capture IP protocol 6 (tcp)
proto 17 -> capture only IP protocol 17 (udp)
not ether proto 0x0806 -> don't capture ARP

Even "lower level" filter ;-)

'tcp[tcpflags] & tcp-syn != 0' -> capture all packets with the SYN flag set (SYN and SYN/ACK!!).

Check the various tutorials for more filter options and/or the man page of tcpdump.

Regards
Kurt

answered 30 Apr '12, 09:08

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 30 Apr '12, 09:10

1

You should take a look at capture filters. If you open the capture options dialog you'll see an input field where you can specify capture filters. The syntax is that of tcpdump, and a few examples can be found in the capture filter list that you can open with the button next to the capture filter input field.

answered 30 Apr '12, 07:44

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Basically, i need to filter only some packets. This should be done before any packet is gathered from the interface. The logic is to reduce volume of captured in my storage space. any idea?

(30 Apr '12, 09:04) Alexis

What do you mean by "this should be done before any packet is gathered from the interface"? Why does it matter when the filtering is done, as long as the packets don't reach Wireshark (or whatever program is being used)? Filtering with a capture filter can be done with existing software and hardware; filtering packets inside the network adapter itself will probably require specialized hardware that your machine probably doesn't have, and software to support that hardware.

(30 Apr '12, 09:29) Guy Harris ♦♦

i mean Filtering while capturing.

(30 Apr '12, 12:06) Alexis

OK, then try a capture filter, as Jasper and Kurt suggested.

(30 Apr '12, 12:36) Guy Harris ♦♦