How to get Wireshark to filter out Spanning Tree?

CriscoSystems · ‎10-30-2009

I am brand new to Wireshark. I want to capture some BGP opens and updates, however, it is capturing absolutely everything that comes over the switch; including BPDU's every 2 secs. None of the built-in filters seem designed to filter out STP traffic. And I'm confused about creating a new filter; it says I must give a "protocol value" even after selecting stp from the menu.

Any advice would be much appreciated.

Peter Paluch · ‎10-31-2009

Hello Seth,

You can do filtering in two stages in Wireshark. The first stage is when the packets are captured (i.e. which packets will be captured), the second stage is when the captured packets are displayed (i.e. which packets that have been captured will be displayed to you).

Much easier is using the second stage - i.e., after you capture all traffic and possibly stop the capture, you write your filter expression in the "Filter" line in the upper part of the Wireshark window and click on "Apply". Specifically, if you do not want to see the STP packets but want to see everything else, write

!stp

in the Filter line (yes, together with the exclamation mark that means "not").

If, on the other hand, you want to see only the BGP communication then you may want to write

bgp

into the Filter line. This will make sure that only the packets that carry the BGP messages will be displayed.

The first stage filtering I have been talking about is configured in the Capture options window using so-called tcpdump filter expressions, however, they are more limited and their syntax can be slightly more difficult so for a starting user of the Wireshark, the filtering of displayed packets is much easier (and pretty much what anybody uses anyway).

Best regards,

Peter