Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Active filter

From: "Christopher Wooley" <christopher@xxxxxxxxxxxxxxxxxxxx>
Date: Wed, 09 Sep 2009 10:04:07 -0500
The wiki does refer to the capture options, but in the wiki calls to the documentation about filtering while capturing, which is the second link I have pointed out. The documentation for that is not correct.

Christopher Wooley
Systems Engineer
Asset Inventory Services
Overdrive Advanced Computers

"Question with boldness."
~Thomas Jefferson

"Those who give freedom for a little security deserve neither."
~Benjamin Franklin

From: sean bzd [mailto:seanbzd@xxxxxxxxx]
To: Community support list for Wireshark [mailto:wireshark-users@xxxxxxxxxxxxx]
Sent: Wed, 09 Sep 2009 09:59:55 -0500
Subject: Re: [Wireshark-users] Active filter

I think you are confusing between "Capture Filters" and "Display filters while capturing"; these are two different things. The WIKI link you pointed correctly talks about Capture Filters and the place you are trying to enter the filter string where you are getting the error is a place to enter display filter not capture filter. The capture filter goes on the "Capture Options".

On Tue, Sep 8, 2009 at 4:29 PM, Christopher Wooley <christopher@xxxxxxxxxxxxxxxxxxxx> wrote:
Under further information for "filtering while capturing":
http://wiki.wireshark.org/CaptureFilters
it gives the example in the docs page:
http://www.wireshark.org/docs/wsug_html_chunked/ChCapCaptureFilterSection.html
tcp port 23 and host 10.0.0.5
if you type in tcp port 23, it gives the error, but if you use tcp.port==23, it doesn't
the correct syntax would have been tcp.port==23 and ip.src="">
Christopher Wooley
Systems Engineer
Asset Inventory Services
Overdrive Advanced Computers

"Question with boldness."
~Thomas Jefferson

"Those who give freedom for a little security deserve neither."
~Benjamin Franklin

From: sean bzd [mailto:seanbzd@xxxxxxxxx]
To: Community support list for Wireshark [mailto:wireshark-users@xxxxxxxxxxxxx]
Sent: Tue, 08 Sep 2009 14:01:52 -0500
Subject: Re: [Wireshark-users] Active filter


I suppose you mean Display filter.  Display filters work online(while capture is going on) and offline. Its syntax is different from capture filters. What does WIKI say about the syntax?

On Tue, Sep 8, 2009 at 2:51 PM, Christopher Wooley <support@xxxxxxxxxxxxxxxxxxxx> wrote:
figured it out. I searched through the expressions list, until I found it. Does the WIKI need to be updated?



From: Christopher Wooley [mailto:support@xxxxxxxxxxxxxxxxxxxx]
To: wireshark-users@xxxxxxxxxxxxx
Sent: Tue, 08 Sep 2009 13:44:24 -0500
Subject: [Wireshark-users] Active filter


I am trying to filter an active capture for port 3250, but when I use "tcp port 3250" in the filter I get "port was unexpected in this context" What's the correct way to do this?


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe