Wireshark-users: Re: [Wireshark-users] Capture Filter Everything
From: "Chuck B" <chuckbowling@xxxxxxx>
Date: Wed, 28 Sep 2011 13:38:25 -0500


"Guy Harris" wrote in message news:ABA8C2F7-A203-4C96-B2E4-587D6CD65938@xxxxxxxxxxxx...


On Sep 27, 2011, at 5:29 PM, Chuck B wrote:

Is it possible to filter everything from a capture session but only the things specific to that capture session?

That depends on what the purpose is of the capture session, i.e. it depends on what criteria determine what's specific to the capture session.

To clarify; I want to study all of the interactions that an app has with multiple servers and multiple ports. But, there are a lot of packets mixed in with the capture that don't have anything to do with the apps interactions.

Unfortunately, that would be difficult to do even with a *display* filter, as "what app caused this request to be sent or caused the request to which this packet is a reply to be sent" isn't available in Wireshark captures; unless you know, in advance, what ports the app will be using with particular servers, it'd be difficult, at best, to winnow out packets from other applications (or daemons or kernel modules or other "system" code). If you *do* know, a capture filter could probably be constructed - but, just because it's using particular ports in one capture, that doesn't necessarily mean it'll be using the same ports in the next capture.

At the moment I am less interested in the ports used as I am in identifying the servers that the app connects to. Once I identify all the servers I figure it should be possible to create a filter that excludes all but those servers.

What particular services are you interested in?

Right now I'm studying the Jabber protocol and how it works. I mainly want to see how packets are passed around.