In this section, we'll take a look at how to filter traffic before it's captured with the BPF syntax. So, we'll filter that traffic on the capture interface.
In Wireshark, there are two places to enter a capture filter.
The first one is right on the following main screen. Right in the middle, we have the capture section, and it says, ...using this filter: Enter a capture filter. So, we can actually do that on the main screen. Try to enter a capture filter, then it will start capturing with that applied filter. You'll also see that there's a green bookmark icon, as shown in the following screenshot. If you hover over that icon, it says Manage saved bookmarks. And if we click on that, there's a number of saved bookmarks that are already built into Wireshark. So, if there's a common function that you want to filter on, it may already be in the list:
But you can also go up to the top and click on Manage Capture Filters. This gives you a list of all of your predefined capture filters and any that you have saved yourself, so you don't have to keep entering the same capture filter over and over again. You can create one and save it. So, all you need to do is click on that plus icon, and then you can enter in whatever it is you want to do. So we could do ip host 192.168.5.25, and we've now created a new capture filter. Then, of course I can rename it. If I double-click on that, it will allow me, to rename and I can say My Host:
Now, if I go back and look, it would be visible now.
You can also save a capture filter by selecting an interface first and then entering what you wish. You'll see that it turns green if it's a valid entry. Then, click on that bookmark icon and then on Save this filter:
If you click on that, it'll then bring up the Manage Capture Filters window prepopulated so that you can simply name it as you wish. Then, using this capture, I can simply double-click on my interface and begin capturing that traffic. You will see that I'm filtering on Ethernet broadcast, so it's only going to show the broadcast traffic on layer 2:
The second way of entering a capture filter is through the gear icon:
Click on Capture options and you'll see at the bottom that there's the Capture filter for selected interfaces option. You can enter the capture filter just like you did in the previous window, as well as manage your bookmarks. So, we could enter in ip host 192.168.5.25. Now, select the interface, then it'll turn green, and I can start my capture:
Now, it'll show me any traffic to and from my gateway.
Our next section is Displaying filters, where we'll filter our traffic after the capture has already been started or it's already been saved, rather than filter the traffic during the capture itself. This is a very common method of doing things so that you capture all the traffic on your network, and then simply view only the pieces you need.