57

Is there a way to clear the capture window in Wireshark without restarting the capture or re-applying the filter? It's difficult to tell one set of traffic from another without looking very closely at the timestamp.

Ryan Shripat
  • 5,574
  • 6
  • 49
  • 77

5 Answers5

62

I don't see a way to clear the window, but hitting 'Restart the running live capture' seems to work.

You can therefore clear the window in WireShark by doing one of the following:

  • Clicking on the green shark-fin to the right of the red Stop button
  • Clicking on Capture > Restart
  • Hitting Ctrl-R.
Ryan Shripat
  • 5,574
  • 6
  • 49
  • 77
  • 6
    Added as an Enhancement Request: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9817 – Ryan Shripat Feb 28 '14 at 15:09
  • 4
    On Wireshark 2 Preview, you must Stop, then Start, then 'Continue without Saving'. – Michael Innes Sep 22 '14 at 17:30
  • 10
    If capturing from a pipe, this doesn't work - it reports the error "Unrecognized libpcap format". I think this is because it is performing some sort of operation not compatible with a pipe source. I haven't found a way to clear the capture from a pipe other than recreating the pipe and restarting wireshark. – davidA Jan 13 '15 at 22:19
  • 4
    @meowsqueak - Yes, you're right. This has also been mentioned on the Enhancement Request page: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9817#c4. – Ryan Shripat Jan 15 '15 at 11:50
  • This breaks my capture for my Atmel Zigbee Sniffer :( – Larry Oct 23 '15 at 03:07
  • By the way, it means there's no way to clear the current logs without restart. That's awesome; I think I've seen that on the previous version of wireshark... – kakadais Jun 02 '16 at 09:45
  • Its 2022 and I still do not think this exists. I hope I am proved wrong. – Andrew S Oct 21 '22 at 04:58
6

Possible workaround w/o stopping/restarting capture

Suppose the last packet captured so far is the xth packet. Just apply the filter frame.number>x and everything disappears :)

Darren Ng
  • 373
  • 5
  • 12
  • 1
    This answer is underrated. I am using Wireshark on GNS3 and it crashes if I restart the capture. This was the only way I could get rid of the old packets. – Ali Tou Aug 21 '20 at 11:54
  • 1
    Excellent! One technique to get that filter text is: right click on the `No.` column (No. is the frame number) on any line then `Prepare as Filter` > `Selected`. This will populate the filter text with `frame.number == NNNN` (where NNNN is the frame number you selected). Change `==` to `>` to clear everything up to that frame, or `>=` to keep that frame and everything after, etc. (Note: this is using Wireshark 4.0.6) – cod3monk3y Jul 21 '23 at 19:53
2

For Mac users, ⌘r for a restart

Tom Howard
  • 4,672
  • 2
  • 43
  • 48
2

Update: F5 button now reassign to refresh interface.

Wireshark 2.02 refresh capture display Ubuntu : Press Close the capture file

Windows : Press the Green fin Restart current capture

mootmoot
  • 12,845
  • 5
  • 47
  • 44
0

There seems to be no way to clear the window. Just hit the refresh button multiple times fast and hit STOP in the end. It will then give a warning: "No packets captured". That's all. After this you can hit the start capture button to record your packets of concern.

If it gives a pop-up asking to save the capture on hitting refresh every-time, just disable that functionality for time being. Uncheck the "Confirm unsaved capture files" field under Preferences.

enter image description here

Prateek Bhuwania
  • 755
  • 1
  • 8
  • 19