I'm using Wireshark for my project and i need support to filter packets from HW level. Basically, i'm getting lot of packets and i would like to filter some useless packets captured on my interface. Could you please give me a hand? Thanks/ Alexis asked 30 Apr '12, 07:39  Alexis edited 30 Apr '12, 07:42 |
2 Answers:
as already mentioned, please use cpature filters: http://wiki.wireshark.org/CaptureFilters To give you just some idea: port 443 -> filter on TCP/UDP port 443 Some "lower level" filter not proto 6 -> dont't capture IP protocol 6 (tcp) Even "lower level" filter ;-) 'tcp[tcpflags] & tcp-syn != 0' -> capture all packets with the SYN flag set (SYN and SYN/ACK!!). Check the various tutorials for more filter options and/or the man page of tcpdump. Regards answered 30 Apr '12, 09:08  Kurt Knochner ♦ edited 30 Apr '12, 09:10 |
You should take a look at capture filters. If you open the capture options dialog you'll see an input field where you can specify capture filters. The syntax is that of tcpdump, and a few examples can be found in the capture filter list that you can open with the button next to the capture filter input field. answered 30 Apr '12, 07:44  Jasper ♦♦ |
Basically, i need to filter only some packets. This should be done before any packet is gathered from the interface. The logic is to reduce volume of captured in my storage space. any idea?
What do you mean by "this should be done before any packet is gathered from the interface"? Why does it matter when the filtering is done, as long as the packets don't reach Wireshark (or whatever program is being used)? Filtering with a capture filter can be done with existing software and hardware; filtering packets inside the network adapter itself will probably require specialized hardware that your machine probably doesn't have, and software to support that hardware.
i mean Filtering while capturing.
OK, then try a capture filter, as Jasper and Kurt suggested.