Wireshark (credit: Gerald Combs GPL)
Wireshark Display Filter expression examples. These filters will change the list of packets displayed from your capture file. When you clear or reset the filter all packets from the capture will be visible.
- Match IP Address (source, destination, or both)
- ip.addr == 10.10.10.10
- Match UDP or TCP port numbers (source, destination, or both)
- udp.port == 53 or tcp.port == 53
- Match classic IPSec traffic (ISAKMP or ESP packets)
- udp.port == 500 or ip.proto == 50
For better capture performance and smaller capture files, use “tcpdump” style Capture Filters when setting your capture options (libpcap). These must be set before starting the capture and will limit the traffic available for review in your capture file.
- host 10.10.10.10
- port 53
- udp port 500 or ip proto 50
For an optimal capture consider the following hints
- Use a managed switch and mirror the port you want to observe
- Use promiscuous mode
- Use a capture filter to limit the amount of captured data if possible
- UNCHECK “Update list of packets in real time” to improve performance
- UNCHECK “Hide capture info dialog” to see how much traffic has been captured
- Capture to a File with *.pcap extension so Windows can associate it with Wireshark
- After enough traffic has been collected, stop the capture to review the packet data.
Notes by Tom 