"Guy Harris" wrote in message
news:ABA8C2F7-A203-4C96-B2E4-587D6CD65938@xxxxxxxxxxxx...
On Sep 27, 2011, at 5:29 PM, Chuck B wrote:
Is it possible to filter everything from a capture session but only the
things specific to that capture session?
That depends on what the purpose is of the capture session, i.e. it depends
on what criteria determine what's specific to the capture session.
To clarify; I want to study all of the interactions that an app has with
multiple servers and multiple ports. But, there are a lot of packets
mixed in with the capture that don't have anything to do with the apps
interactions.
Unfortunately, that would be difficult to do even with a *display* filter,
as "what app caused this request to be sent or caused the request to which
this packet is a reply to be sent" isn't available in Wireshark captures;
unless you know, in advance, what ports the app will be using with
particular servers, it'd be difficult, at best, to winnow out packets from
other applications (or daemons or kernel modules or other "system" code).
If you *do* know, a capture filter could probably be constructed - but,
just because it's using particular ports in one capture, that doesn't
necessarily mean it'll be using the same ports in the next capture.
At the moment I am less interested in the ports used as I am in identifying
the servers that the app connects to. Once I identify all the servers I
figure it should be possible to create a filter that excludes all but those
servers.
What particular services are you interested in?
Right now I'm studying the Jabber protocol and how it works. I mainly want
to see how packets are passed around.
