Table of Contents

Wireshark

Introduction

Filtering

Two distinct filters are used in Wireshark, namely the capture filter and display filter.

Capture filters are implemented in the form of BPF filtering, which is historically a pseudo-device that binds to the network interface and allows reads from (and writes to) a copy of the network device buffer - this is essentially a raw interface to the data link layer. This device is implemented as a virtual machine that interprets BPF instructions (or JIT compilations thereof). This has the advantage of allowing the kernel to choose packets to write to the userspace process supplying the desired filter, and avoid copying of unwanted packets.

For deeper packet inspection and analysis, the Wireshark display filter supports a richer syntax, that allows for unpacking of many more protocols (>285000 fields in 3000 protocols as of v4.0.4).

Here's a table of all official resources:

Wiki User guide Reference
Capture filter examples (src) docs pcap-filter(7)
Display filter examples (src) docs reference

A quick set of examples is already provided in Wireshark itself:

Other resources

Conferences

Sharkfest (there is one coming up in Singapore, 17-19 April 2023) has pretty nice workshops and talks. Because I don't have the disposable income to afford their USD 1400 conference registration price, a good alternative is to revisit their old conference materials that has both keynote speakers as well as classes.

Some interesting ones I picked out from the listings: