-2

What does capture filter means in wireshark? Is it same as display filter?

user30040
  • 52
  • 4

2 Answers2

6

Capture filters work when the capture is taking place. It tells Wireshark which packets to capture and save to a pcap file.

Display filters works on already captured network traffic. It's simply a filter to that tells Wireshark which packets to display.

1

There are two type of filter in wireshark:

  1. Display Filter
  2. Capture Filter

Display filter is filter introduced by wireshark. It's user friendly, powerful and many things to filter. It has modular form. For example,filter to display HTTP Post is:

http.request.method=POST

Wireshark loads packet first, and then apply display filter. So it is applied in user mode.

Capture filter is filter introduced by Libpcap/Winpcap (a driver to capture packets independent of operating system). It's very restricted and hard to read and write! No modularity. But instead, it is applied to Libpcap/Winpcap;it means kernel mode. So it it fast and prevent memory or storage usage,because of no unwanted packet is captured.

SuB
  • 150
  • 1
  • 7
  • Libpcap filter syntax may not be user friendly, but on a busy interface, you probably need to learn it if you don't want to deal with huge capture files. – curiousguy Aug 27 '13 at 12:04