Hi I'm trying to figure out the generic logic of writing filter expression to be able to write them easily. I found a link that shows its syntax. The link is that : http://openmaniak.com/wireshark_filters.php It shows that expressions always start with protocol name, then (.) dot and one of that protocol's substructure follows. Is it always like this? Are there any more rules to write filter expression that must be followed? Thanks asked 01 Jan '12, 18:24  sawque |
One Answer:
No, it's not quite that simple. The first thing to understand is that there are two kinds of filters in Wireshark: Capture filters and display filters, and they use different syntax. Here's a reference on capture filters from the Wireshark wiki, and another one on display filters. Creating filters in Wireshark is a "learn by doing" thing. I recommend you just jump in and try to create different filters, and then come back here with any specific questions if you have difficulty. I'd start with display filters first, and tackle capture filters second. You really need display filters in order to do meaningful analysis in Wireshark, but you can do without capture filters at first. Also, Google is your friend. There is a lot of information about Wireshark filters on the web. answered 01 Jan '12, 19:43  Jim Aragon |
Other useful links:
display filters
display filter Reference
capture filters
Or watch some videos at YouTube.