Wireshark seems to ignore my filters

Question

I'm trying to make use of Wireshark 1.10.6 for Windows and I want to only capture the traffic to port 443 (to diagnose some weird HTTPS problems I'm having). So I open Capture -> Capture Filters... and in there I delete all filters and then add one filter with filter string set to port 443. Then I start the capture and see that there's a lot of unrelated stuff captured, for example this one

BROWSER 243 Host Announcement , Workstation, Server, SQL Server, NT Workstation, NT Server, Backup Browser, DFS server

so it looks like the capture filters are ignored.

What am I doing wrong and how do I make use of filters?

krisFR · Answer 1 · 2014-04-07T14:17:37.507

1

Once you have created your Capture Filter using Capture -> Capture Filters... you have to define it in the Capture Options.

Open Capture -> Options...
Click on the Capture Filter button
Select the filter you want then click OK
Start the capture

Now it should be filtered using one of these filter strings :

port 443
tcp port 443

Further infos in the user guide : Filtering while capturing.

edited Apr 07 '14 at 14:17

answered Apr 07 '14 at 11:05

krisFR

12,830
3
31
40

Great, now it filters everything out even if I craft a `port 443` filter and open `https://github.com` in Firefox. – sharptooth Apr 07 '14 at 11:28
@sharptooth Make sure you are filtering/capturing on the right ethernet interface, in case you have more than one. Also check that the filter string is correct. But `port 443` or `tcp port 443` should work – krisFR Apr 07 '14 at 14:10
@sharptooth So, what about your filters now ? – krisFR Apr 09 '14 at 01:14
They don't look working. – sharptooth Apr 10 '14 at 05:36
@sharptooth Seriously ?? Did you check what i said about the right interface ? – krisFR Apr 10 '14 at 19:35
Yeap, I only have one interface and capture works if I simply remove the filter. That's something stupid but I can't figure it out. – sharptooth Apr 11 '14 at 05:21

score 1 · Answer 2 · answered Oct 17 '16 at 12:37

Wireshark 2.2.1 seems broken with capture filters. What you're supposed to do is go to:

Capture -> Capture Filters...

Add your filters, then go to:

Capture -> Options -> select loopback -> scrolll ALLLL the way to the right, click the drop down box and select your capture filter name, or type the name in.

THIS DOES NOT WORK. None of the capture filters display, typing the filters in directly, it still cannot locate them.

The way i ended up doing it, and it seems to kind of work, is by exiting wireshark, starting it up you get a prompt which asks you for your wireshark capture filter then entering your filter of "port 18080 or port 18081 or port 1883 and tcp", or whatever, just put the filter in there and double click loopback or whatever and that seems to work.

Just a thought, is it just broken under windows? Maybe some configuration or path option prevents the capture filters being found??

Wireshark seems to ignore my filters

2 Answers2