1. CAPTURE FILTERS The capture filter syntax is the same as the one used by programs using the Lipcap (Linux) or Winpcap (Windows) library like the famous TCPdump. The capture filter must be set before launching the Wiershark capture, which is not the case for the display filters that can be modified at any time during the capture. The steps to configure a capture filter are the following: - select capture -> options. - Fill the "capture filter" field or click on the "capture filter" button to give a name to your filter to reuse it for subsequent captures. - Click on Start to capture data. Syntax: Protocol Direction Host(s) Value Logical Operations Other expression Example: tcp dst 10.1.1.1 80 and tcp dst 10.2.2.2 3128 Protocol: Values: ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp and udp. If no protocol is specified, all the protocols are used. Direction: Values: src, dst, src and dst, src or dst ...