WEBVTT 00:00.120 --> 00:09.450 In this lecture, we are going to learn how to optimize the filtering techniques using logical operators 00:09.450 --> 00:11.190 not and or. 00:11.220 --> 00:20.490 Alright, so let's start with the or operator or operator allows us to combine multiple filters. 00:20.610 --> 00:27.990 For example, let's say you want to see HTTP and ARP packets. 00:28.200 --> 00:32.550 Just type or between the filters. 00:32.940 --> 00:44.460 Now I am basically telling Wireshark that if you find the A.P. packets or ARB packets, then show me 00:44.460 --> 00:45.320 all of them. 00:45.330 --> 00:45.810 Right? 00:45.810 --> 00:53.580 So this filter is going to display all the ARP and HTTP packets in the list. 00:53.820 --> 01:02.520 So if I hit enter, as you can see, guys, now we only have at HTTP traffic and let me see the ARP 01:02.550 --> 01:03.450 packets as well. 01:03.450 --> 01:07.170 As you can see, we have the ARP traffic as well. 01:07.200 --> 01:12.460 So guys, in this way you can combine as many filters as you like. 01:12.480 --> 01:16.190 All you need to do is separate them with order. 01:16.480 --> 01:22.830 Now this time let me go for ESI MP traffic hit enter. 01:22.860 --> 01:26.160 Now we should have ICMP traffic as well as you can see. 01:26.250 --> 01:33.720 So yeah, like I said, you can combine as many filters as you like with our operator. 01:33.900 --> 01:41.670 Now next operator that we have is not OC before moving to north. 01:41.700 --> 01:47.760 Let me show you another way of writing our operator instead of writing. 01:47.760 --> 01:50.240 Or you can write these two symbols. 01:50.250 --> 01:52.050 These are called pipes. 01:52.140 --> 01:54.750 As you can see, it is a valid filter. 01:54.780 --> 01:59.130 Now let's move to the node operator, not operator. 01:59.220 --> 02:04.280 Basically, a negates the value that you supply to it. 02:04.290 --> 02:14.550 For example, let me type not TCP now not operator is going to negate or ignore the TCP packets. 02:14.550 --> 02:20.490 So this filter will not display the TCP packets. 02:20.850 --> 02:27.170 I am basically telling Wireshark that do not display the TCP traffic. 02:27.450 --> 02:35.550 So if I hit enter under the protocol column, you are not going to see any TCP IP packet as you can 02:35.550 --> 02:35.940 see. 02:35.940 --> 02:41.520 So not operator has basically excluded the TCP packets. 02:41.640 --> 02:42.120 Right. 02:42.150 --> 02:44.100 Now, let me give you another example. 02:44.100 --> 02:46.900 Let's say UDP, not UDP. 02:46.920 --> 02:52.440 Now, as you can see, UDP packets have been filtered out. 02:52.800 --> 02:56.100 Now let's combine multiple filters. 02:56.460 --> 03:03.150 Let's say you want to filter out UDP and TCP packets, right? 03:03.300 --> 03:09.330 When you need to combine multiple filters, we have to use our operator. 03:09.330 --> 03:19.440 So if I write something like this, not UDP or not TCP, as you can see syntactically it is a valid 03:19.440 --> 03:24.650 filter, but it is not going to produce the result that you want. 03:24.660 --> 03:25.950 So let me hit enter. 03:26.040 --> 03:32.270 As you can see, we have both UDP and TCP traffic, right? 03:32.280 --> 03:35.800 Because this filter does not make any sense. 03:35.820 --> 03:43.860 What I'm telling Wireshark is that do not show me UDP packets or do not show me the TCP packets. 03:43.860 --> 03:44.460 Right? 03:44.460 --> 03:53.760 So when you want to negate multiple values, we have to supply the filters in the brackets. 03:53.760 --> 03:56.310 So inside brackets, right. 03:56.340 --> 04:01.350 Not TCP or UDP. 04:01.380 --> 04:10.710 Now this time, what I am basically telling Wireshark is that if you find UDP or TCP packets, then 04:10.710 --> 04:11.880 negate them. 04:11.910 --> 04:17.490 Do not show me the packets that I have specified in the bracket. 04:17.700 --> 04:25.260 Now, if I hit enter, as you can see, why is it has removed all the UDP or TCP packets? 04:25.560 --> 04:28.740 Now let me add another filter. 04:28.770 --> 04:31.220 Let's see ICMP. 04:31.230 --> 04:36.480 Now, as you can see, it has removed all the specified traffic. 04:36.480 --> 04:40.740 We are only left with the ARP packets. 04:40.740 --> 04:41.180 Right. 04:41.190 --> 04:47.550 Not operator can be returned with exclamation mark as well. 04:47.910 --> 04:50.940 As you can see, it is also a valid filter. 04:50.940 --> 04:54.750 If I hit enter it is producing the same result. 04:54.750 --> 04:59.310 So exclamation and not both are same now. 04:59.310 --> 04:59.820 Another of. 04:59.990 --> 05:09.500 It is that we have is and we will cover the end operator in the next lecture with an appropriate example.