How it works...
The Wireshark - Capture Filters window enables you to configure filters according to Berkeley Packet Filter (BPF). After writing a filter string, you can click on the Compile BPF button, and the BPF compiler will check your syntax, and if it's wrong you will get an error message.
In addition to this, when you type a filter string in the capture filter textbox, if the filter string is correct, it will become green, and if not, it will become red.
The BPF filter only checks if the syntax is right. It does not check if the condition is correct. For example, if you type the string host without any parameters, you will get an error and the string will become red, but if you type host 192.168.1.1000 it will pass and the window will become green.
Capture filters are made out of a string containing a filtering expression. This expression selects the packets that will be captured and the packets that will be ignored. Filter expressions consist of one or more primitives. Primitives usually consist of an identifier (name or number) followed by one or more qualifiers. There are three different kinds of qualifiers:
- Type: These qualifiers say what kind of thing the identifier name or number refers to. Possible types are host for hostname or address, net for network, port for TCP/UDP port, and so on.
- Dir (direction): These qualifiers specify a particular transfer direction to and/or from ID. For example, src indicates source, dst indicates destination, and so on.
- Proto (protocol): These are the qualifiers that restrict the match to a particular protocol. For example, ether for Ethernet, ip for internet protocol, arp for address resolution protocol, and so on.
Identifiers are the actual conditions that we test. Identifiers can be the address 10.0.0.1, port number 53, or network address 192.168.1 (this is an identifier for network 192.168.1.0/24).
For example, in the filter tcp dstport 135, we have:
- dst is the dir qualifier
- port is the type qualifier
- tcp is the proto qualifier