Wireshark-users: Re: [Wireshark-users] Wireshark filters

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 28 Sep 2011 11:49:40 -0700
On Sep 27, 2011, at 5:02 AM, kevin creason wrote:

> Capture filters are troublesome for at least four reasons:

	...

> They prevent packets from being captured either by exclusion of the filter or not being included in the filter.

I'm not sure what you mean by that - a filter expression, whether it's a capture filter expression or a display filter expression, is, in the general case, a collection of "this" items and "not that" items, ANDed or ORed together.  The "this" items select stuff you want to see (which I guess is "included in the filter"), and the "not that" items select stuff you don't want to see (which I guess is "[excluded by] the filter").

> Once packets are not captured, you cannot see them.

That's not a bug, that's a feature. :-)

I.e., the whole *point* of a capture filter is to (reasonably) efficiently discard packets that you have deemed uninteresting, especially in situations where the capturing machine couldn't keep up with the full stream of packets if you didn't filter them out (so that you wouldn't be able to see all of them even *without* a capture filter).  If you're not in one of those situations, capture filters may be less useful, but even then, if you know what you care about, it means that, while the capture is in progress or after it stops, you don't then have to filter out, for example, various bits of broadcast and multicast noise on your network, or a steady stream of traffic to the file server containing your network home directory, or stuff such as that (both of which I've filtered out at work just to keep it out of my capture as early as possible).