Re: Capture Filter Everything

[Guy Harris <guy () alum mit edu>]

On Sep 27, 2011, at 5:29 PM, Chuck B wrote:

> Is it possible to filter everything from a capture session but only the things specific to that capture session?

That depends on what the purpose is of the capture session, i.e. it depends on what criteria determine what's specific 
to the capture session.

> To clarify; I want to study all of the interactions that an app has with multiple servers and multiple ports. But, 
> there are a lot of packets mixed in with the capture that don't have anything to do with the apps interactions.

Unfortunately, that would be difficult to do even with a *display* filter, as "what app caused this request to be sent 
or caused the request to which this packet is a reply to be sent" isn't available in Wireshark captures; unless you 
know, in advance, what ports the app will be using with particular servers, it'd be difficult, at best, to winnow out 
packets from other applications (or daemons or kernel modules or other "system" code).  If you *do* know, a capture 
filter could probably be constructed - but, just because it's using particular ports in one capture, that doesn't 
necessarily mean it'll be using the same ports in the next capture.

What particular services are you interested in?
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe