Wireshark Filter Recommendations

[jlpoolen]

I'm using wireshark and currently I have in effect a filter using the ip of the camera I'm testing retina's client against. My filter consists of the simple:

 host 192.168.1.48

My camera is assigned the IP 192.168.1.48. Are there any other filters you recommend which might abbreviate the log file? For instance, perhaps all the data packets are not desired, just events. Using ffmpeg for 24 seconds generates a wireshark log file of 69MB.

I think having this "Issue" would be helpful as a location for recommendations of what filter settings to use for particular classes of investigation.

[scottlamb]

That's about what I do. I save everything going over the RTSP connection: host 192.168.1.48 and port 554. This will produce approximately the same result unless you're using the camera's web interface or something.

[edit later: we've added UDP support in #30. When using it, the filter above will capture only the RTSP control stream, not the RTP/RTCP data packets. When using UDP, it's probably better to start with the plain host 192.168.1.48 and exclude anything you don't want such as web interface traffic.]

I then skim through it via Wireshark's "display filters".

If you want to make the packet captures smaller, one trick is to test via the "sub" stream rather than the "main" stream.