Wireshark captures a complex variety of data packets, through the filtering rules can quickly capture our attention of the packet, can capture the specified IP packets, according to classification can be divided into capture filtering, display filtering.
Display filtering: Can fully reproduce the network environment when testing, but will produce large capture files and memory consumption.
Capture filtering: Set in Capture option to capture only eligible packages, you can avoid generating large capture files and memory footprint, but not fully reproducing the network environment when testing.
Wireshark filtering Specifies an example of an IP transceiver packet:
(1) Fetch all destination address is 192.168.1.2 or 192.168.1.3 port is TCP data of 80
(TCP port) and ((DST host 192.168.1.2) or (DST host 192.168.1.3)//Capture filter
tcp.port==80&& (ip.dst==192.168.1.2| | ip.dst==192.168.1.3)//Display filter
(2) Crawl all destination network is 192.168, but destination host is not 192.168.1.2 TCP data
(TCP) and (DST net 192.168) and (not DST host 192.168.1.2)
tcp&&ip.dst==192.168.0.0/16&&! (ip.dst==192.168.1.2)
(3) Capturing the Telnet packet received or issued by the host 192.168.1.1, telnet using TCP 23 port
TCP port and host 192.168.1.1
tcp.port==23&&ip.addr==192.168.1.1
Only a few examples are listed above.
In addition to see a blog to introduce this piece is also more specific, can refer to: http://www.cnblogs.com/einyboy/archive/2012/12/12/2815080.html
Wireshark Study Chapter (2)---filter rules