Wireshark display filters
Figure 3). There you can select the Interface ( en0), see your IP address ( 192.168.1.10), apply any Capture Filter (in the image, there is none), put your network card in promiscuous mode, and sDYH FDSWXUHG GDWD WR RnH RU PRUH fiOHs. :hHn FDSWXULng ORWs RI GDWD, LW Ls FRnsLGHUHG D gRRG SUDFWLFH WR fiUsW sDYH DnG WhHn HxDPLnH FDSWXUHG nHWwRUN WUDIfiF. :hHn yRX SXW yRXU nHWwRUN card in promiscuous mode, you allow the network device to catch and read every network packet that arrives, even if the receiver is another device on the network. You can also choose to stop packet capturing after a given number of network packets, a given period of time, or a given amount of data (in bytes).
WireShark allows you to read and analyse captured network GDWD IURP D ODUgH nXPbHU RI fiOH IRUPDWs LnFOXGLng tcpdump, libpcap, Sun’s snoop, HP’s nettl, .12 WHxW fiOH, HWF. 7hLs PHDns that you can read almost every kind of captured network data The amount of network data that WireShark may display can be too much for a human to watch and understand, especially on very busy networks. Usually, when using WireShark, we want to examine a given problem or situation, or even watch for unusual network DFWLYLWy. :LUH6hDUN DOORws Xs WR fiOWHU nHWwRUN GDWD IRU sSHFLfiF WySHs RI WUDIfiF GXULng FDSWXUH, DYRLGLng FUHDWLng hXgH FDSWXUH fiOHs—bXW WhHUH DUH DOsR GLsSODy fiOWHUs, whLFh WHOO :LUH6hDUN WR display packets that really matter, while capturing everything, so WhDW yRX ORRN DW IHwHU SDFNHWs DnG HDsLOy finG whDW yRX wDnW.
GHnHUDOOy sSHDNLng, GLsSODy fiOWHUs DUH FRnsLGHUHG PRUH SUDFWLFDO DnG YHUsDWLOH WhDn FDSWXUH fiOWHUs, bHFDXsH PRsW RI WhH time, you don't know in advance what you want to examine. 1HYHUWhHOHss, XsLng FDSWXUH fiOWHUs FDn sDYH WLPH DnG GLsN space; that is the main reason for using them.
WireShark tells you when a Display Filter is syntactically FRUUHFW—whHn WhH bDFNgURXnG WXUns OLghW gUHHn, WhHn WhH fiOWHU is syntactically correct; and when the syntax is erroneous, the background is pink. You can see both cases in Figure 5. The result of D ORgLFDOOy LnDFFXUDWH (yHW synWDFWLFDOOy FRUUHFW) fiOWHU DW FDSWXUH WLPH is no captured data—so you may recognise this error the hard way.