Introduction

When capturing packets from a network interface, Wireshark s default behavior is to capture all of the packets provided by the operating system s (OSes) device driver. On a lightly loaded home network this is not a problem; however, on a busy network at a large enterprise, the deluge of packets would be too much to handle. Wireshark provides capture filters, which allow you to capture only the packets that you are interested in. By using capture filters, the OS sends only selected packets to Wireshark for processing.

Once the packets are loaded into Wireshark, there may still be too many. For this situation, Wireshark provides display filters, which allow you to specify which packets are shown in Wireshark s Graphical User Interface (GUI). Because all of the packets are still in memory, they become visible when you reset your display filter.

The difference between capture filters and display filters is in how they are implemented in Wireshark. The Wireshark program relies on a program library to capture packets. On UNIX, the library is pcap (also known as libpcap), and is maintained by the same group that developed tcpdump, the UNIX Command Line Interface (CLI) sniffer (available at www.tcpdump.org). On Windows, the library is WinPcap, which is a device driver and dynamic link library (DLL) that provides a pcap interface for Windows programs. For convenience, we refer to pcap and WinPcap as pcap