Using Wireshark Capture Filters

By David Dixon
April 15, 2024

Why do we use Wireshark capture filters?

Capture filters are used to limit captured traffic based on a specific criteria.They limit the packets saved in the '/temp' location when capturing. Capture filters cannot be applied to existing capture files, only those that are running. This can be very useful when capturing on a busy network, or when looking for a specific traffic type.
If you're familiar with the Linux native 'tcpdump' tool, the capture filters in Wireshark uses the same Berkeley Packet Filtering syntax. Be careful when using capture filters, you should use them sparingly. This is because you can apply display filters after the capture, but capture filters drop the packets and therefore are not saved in the capture file.
There are a number of builtin capture filters that can be viewed and modified by choosing "Capture" > "Capture Filters" from the menu.

Wiresark menu

Additionally, Wireshark comes with a default set of filters, which are stored in the Wireshark program file directory. The file name is cfilters and you can see that the contents of the file resemble the following:

Setup a new filter

Let's use the Wireshark interface to set up a capture filter. Select "Capture" and then "Capture Filters as show in figure 1. Enter in the following to create a capture filter just for port 443, which is most https traffic.

CFilter Mod

You can see we added a capture filter with the name "port 443 only" and the capture filter rule of "port 443" which will capture only traffic on 443. To use this filter, select "Capture" then "Options". Once the dialogue box opens, then select your capture interface, and select the capture rule we just created just like the image below (port 443 only):

Cfilter apply

Now click the start button and you will see that only packets with source and destination ports of 443 are captured.