Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Capture Filter Everything

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 28 Sep 2011 11:01:29 -0700
On Sep 27, 2011, at 5:29 PM, Chuck B wrote:

> Is it possible to filter everything from a capture session but only the things specific to that capture session?

That depends on what the purpose is of the capture session, i.e. it depends on what criteria determine what's specific to the capture session.

> To clarify; I want to study all of the interactions that an app has with multiple servers and multiple ports. But, there are a lot of packets mixed in with the capture that don't have anything to do with the apps interactions.

Unfortunately, that would be difficult to do even with a *display* filter, as "what app caused this request to be sent or caused the request to which this packet is a reply to be sent" isn't available in Wireshark captures; unless you know, in advance, what ports the app will be using with particular servers, it'd be difficult, at best, to winnow out packets from other applications (or daemons or kernel modules or other "system" code).  If you *do* know, a capture filter could probably be constructed - but, just because it's using particular ports in one capture, that doesn't necessarily mean it'll be using the same ports in the next capture.

What particular services are you interested in?