This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TShark Capture Filters

0

Is it possible to set a Capture Filter for a specific MAC address destination and for only frames that contain HTTP data?

When I try the filter "-f wlan.da==XX:XX:XX:XX:XX:XX" tshark returns the error "Invalid capture filter "wlan.da==68:9C:70:28:FF:C0" for interface".

This works as a Display Filter. Is there an advantage to a Capture Filter over a Display Filter?

I haven't been able to find anything for the HTTP Data filter.

Any suggestions?

asked 05 Nov '14, 09:57

EdDickens's gravatar image

EdDickens
11224
accept rate: 0%


One Answer:

1

Is it possible to set a Capture Filter for a specific MAC address destination and for only frames that contain HTTP data?

No, but

wlan dst 68:9C:70:28:FF:C0 and tcp port 80

will get you all traffic to or from TCP port 80 and to MAC address 68:9C:70:28:FF:C0. You can add other ports, e.g.

wlan dst 68:9C:70:28:FF:C0 and (tcp port 80 or tcp port 8080 or tcp port 443 or ...)

Is there an advantage to a Capture Filter over a Display Filter?

The packets are discarded very early in the capture process, so that if the network on which you're capturing is a very high-traffic network, you're less likely to drop packets, as the packets deemed un-interesting are discarded before they take up space in the system's packet capture buffer.

answered 05 Nov '14, 21:24

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Thanks Guy.

That seems to have done the trick.

(06 Nov '14, 05:32) EdDickens