This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capture Filters under Windows 2008 Server

0

I recently updated to Wireshark 1.8.5 and now I can not get a capture filter to work.

I go to Capture -> Capture Filters and select a saved filter (host xxx.xxx.xxx.xxx) and click OK. When I try to start the capture, it captures all packets on the interface.

I have tried double clicking on the Capture Filter name in the dialog box. I have also tried to apply while a current capture is in process and when the capture is stopped - all to no avail.

The help documents for capture filters are not very clear on how to actually start a capture with a filter applied.

Do you have any suggestion?

asked 15 Feb '13, 06:56

EagleTRL57's gravatar image

EagleTRL57
11112
accept rate: 0%


One Answer:

1

Capture > Capture Filters takes you to a dialog for adding, editing, deleting, and saving capture filters, not applying capture filters. In fact, when I do this with 1.8.5 PortableApps version,there is no "Ok" to click on, only Save or Cancel.

To apply a capture filter, go to Capture > Options, double-click the interface you're going to capture on, and then enter your capture filter in the Capture Filter field. If you want to select a saved filter, you can click on the Capture Filter button to the left of the capture filter input area.

When your capture filter has been entered and the syntax is correct (green background), click OK. On the Capture Options dialog, make sure the interface is selected (the checkbox in the "Capture" column is checked) and click Start.

You cannot apply a capture filter during a running capture, only while capturing is stopped.

answered 15 Feb '13, 08:40

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

Got it - thanks! I am not sure how I managed to get the filters applied before, but I don't remember doing those steps.

(15 Feb '13, 08:59) EagleTRL57

The capture dialog changed in 1.8.x to allow capturing from multiple interfaces.

(15 Feb '13, 09:03) grahamb ♦