用于决定将什么样的信息记录在捕捉结果中。需要在开始捕捉前设置。

捕捉器语法

[not] primitive [and | or [not] primitive ...]

primitive := qualifiers id

id := name or number

qualifiers := type dir proto

type

type qualifiers say what kind of thing the id name or number refers to. Possible types are host, net , port and portrange. E.g., host foo, net 128.3, port 20, portrange 6000-6008. If there is no type qualifier, host is assumed.

常用过滤器

• DHCP

  port 67 or port 68
  

• 目的MAC

  ether dst 74-D4-35-46-3C-8E
  

• tcp端口

  tcp port 80
  

参考

1. https://www.wireshark.org/docs/wsug_html_chunked/ChCapCaptureFilterSection.html
2. http://www.tcpdump.org/manpages/pcap-filter.7.html
3. http://wiki.wireshark.org/CaptureFilters