1
00:00:00,870 --> 00:00:06,390
In this lecture I will explain about how to walk with the white shark display filters.

2
00:00:07,230 --> 00:00:15,060
But first I will add some information about how to work with capture filters that we have seen in the

3
00:00:15,120 --> 00:00:17,150
previous picture.

4
00:00:17,190 --> 00:00:30,420
So for example we have seen that we can use existing culture filters or add an additional one or modify

5
00:00:30,510 --> 00:00:34,450
an existing one and we can also write.

6
00:00:34,470 --> 00:00:46,200
If you start in this box and then save this filter and using these existing filters will help us to

7
00:00:46,200 --> 00:00:51,330
save them and use them later without the need to write them again.

8
00:00:51,480 --> 00:00:59,670
And there is another benefit in working with capture filters from the capture menu and then select options

9
00:01:00,270 --> 00:01:08,410
which is we can apply a different capture filter for each interface.

10
00:01:08,960 --> 00:01:22,980
And by choosing output we can save the culture to a permanent file and using the options tab we can

11
00:01:24,750 --> 00:01:27,520
figure out when to stop capturing.

12
00:01:28,890 --> 00:01:33,880
So it does now start explaining about each play filters.

13
00:01:34,030 --> 00:01:42,340
I will start capturing when the wireless connection interface.

14
00:01:42,630 --> 00:01:44,360
So now I will use to capture.

15
00:01:45,360 --> 00:02:01,950
So if I want to focus on specific protocol for example I GMB I can type that in the display filter box

16
00:02:03,410 --> 00:02:04,080
and then hit enter.

17
00:02:05,310 --> 00:02:16,800
So now we see all the packets of I GMB and we can also apply specific value as a filter that is present

18
00:02:16,800 --> 00:02:17,300
in the packets.

19
00:02:17,310 --> 00:02:25,710
So for example I want to search for packets from this I better if I can right click on it and then select

20
00:02:25,770 --> 00:02:39,590
apply as a filter and then select it so that will display packets from that IP as a source.

21
00:02:40,170 --> 00:02:40,860
Or we can

22
00:02:43,560 --> 00:02:45,360
use the not selected.

23
00:02:45,360 --> 00:02:55,210
So for example I want to search for buckets that are not from the source IP address.

24
00:02:55,210 --> 00:03:09,430
I can select what selected and we can search for a specific field in protocol so for example I want

25
00:03:09,430 --> 00:03:12,070
to search in

26
00:03:15,310 --> 00:03:24,430
TCB for a specific destination board for example this one I can click here and then select apply as

27
00:03:24,430 --> 00:03:25,730
a filter and then select it.

28
00:03:27,190 --> 00:03:39,100
So here we see that we have packets of SSL only so the destination board of 443 we see that when we

29
00:03:39,280 --> 00:03:48,650
apply the filter that display filter expression was written it automatically in the display filter box.

30
00:03:48,910 --> 00:03:59,050
So if we want something to help us to write those expressions we can click here and here we see that

31
00:03:59,050 --> 00:04:07,270
we have many of protocols and wills and relations and values.

32
00:04:07,270 --> 00:04:25,380
So for example I want to search for the buckets that have the sign plug I can go here Monday select

33
00:04:25,440 --> 00:04:29,490
this one and then click on OK.

34
00:04:30,150 --> 00:04:37,110
And I have to delete this picture first then click here

35
00:04:40,100 --> 00:04:46,350
so now we see packets that contain only the TV sign flat.

36
00:04:46,650 --> 00:05:00,000
And here in the state of Spain we see that we have 16 packets split from more than 2000 packets that

37
00:05:00,000 --> 00:05:12,670
are captured and we can also use existing filters like we have seen in working with the capture filters

38
00:05:13,070 --> 00:05:15,960
and we can also.

39
00:05:16,490 --> 00:05:21,130
Would you find existing ones or add new ones.

40
00:05:21,740 --> 00:05:27,560
And you can also reach the same dialog box from the analyzed menu and then display filters

41
00:05:30,270 --> 00:05:38,640
and we hear in this packet we see that we have

42
00:05:41,350 --> 00:05:48,070
name resolution for the organization part of the MAC address.

43
00:05:48,070 --> 00:05:56,890
So name resolution is enabled by default in wire shark and we can change the settings of that by going

44
00:05:56,890 --> 00:06:03,580
to the Edit menu and then preferences and then name resolution.

45
00:06:03,580 --> 00:06:17,010
So we see that any resolution is enabled for mac addresses but not for the IP addresses and recommended

46
00:06:17,010 --> 00:06:27,450
to turn that off for hosts or IP addresses because that can degrade the performance of a white shark

47
00:06:28,020 --> 00:06:40,080
or fail to work correctly or also will inject some traffic into a network of DNS that can interfere

48
00:06:40,380 --> 00:06:43,650
with your actual traffic.

49
00:06:43,650 --> 00:06:51,210
So in this lecture I have explained different ways of working with the wire shark display filters and

50
00:06:51,210 --> 00:07:00,150
in the next lecture I will explain about working with the colouring rules and how to save captures.