书名：Network Analysis Using Wireshark 2 Cookbook（Second Edition）
作者名：Nagendra Kumar Nainar Yogesh Ramdoss Yoram Orzach
本章字数：432字
更新时间：2021-08-27 19:30:16

Introduction

In the first and second chapters, we talked about how to install Wireshark, how to configure it for basic and smart operations, and where to locate it on the network. In this chapter and the next one, we will talk about capture filters and display filters.

It is important to distinguish between these two types of filters:

Capture filters are configured before we start to capture data, so only data that is approved by the filters will be captured. All other data will be lost. These filters are described in this chapter.
Display filters are filters that filter data after it has been captured. In this case, all data is captured and you configure what data you wish to display. These filters are described in the next chapter.

Capture filters are based on the tcpdump syntax presented in the libpcap/ WinPcap library, while the display filters syntax was presented some years later. Therefore, keep in mind that the display and capture filters have different syntaxes!

In some cases, you need to configure Wireshark to capture only a part of the data that it sees over the interface:

When there is a large amount of data running over the monitored link and you want to capture only the data you care about
When you want to capture data only going into and out of a specific server on a VLAN that you monitor
When you want to capture data only from a specific application or applications (for example, you suspect that there is a DNS problem in the network and you want to analyze only DNS queries and responses to and from the internet)

There are many other cases where you want to capture only specific data and not everything that runs on your network. When using the capture filters, only predefined data will be captured and all other packets will be ignored, so you will get only the desired data.

Be careful when using capture filters. In many cases on a network, there are dependencies between different applications and servers that you are not always aware of; so, when you use Wireshark with capture filters for troubleshooting a network, make sure that you don't filter out some of the connections that causes inaccurate information. A common and simple example of this is to filter only traffic on TCP port 80 for monitoring suspected slow HTTP responses, while the problem could be due to a slow or non-responsive DNS server that is not easily noticeable.

In this chapter, we will describe how to configure simple, structured, byte offset and payload matching capture filters.

本周热推：

CDN技术架构命名数据网络原理、技术与应用 GeoTools 地理信息系统开发 ASP.NET Core与RESTful API 开发实战信息系统安全管理应用