Capture filters are filters specified in Wireshark BEFORE you start the capture. It allows you limit the traffic captured to the packets that match your filter. This is different from the display filters in Wireshark. You use the display filters AFTER you have captured packets so that the packets that are displayed are limited to those that match your filter.
The capture filters use the Berkeley Filter syntax and is different from the display filters.
For example, with the display filters, if you want to filter packets for all packets that include the IP address 10.1.1.1, you specify ip.addr == 10.1.1.1 in the display filter.
However, to filter for that IP address using a capture filter, the syntax will be ‘host 10.1.1.1’.
Other examples of the Berkeley Filter syntax are:
- src host 10.1.1.1. # for source IP address of 10.1.1.1
- dst host 10.1.1.1
- net 10.1.1.0/24
- dst net 10.1.1.0/24
- dst port 80
- udp dst port 53