What is the main difference between capture filters and display filters in Wireshark?

Capture filters determine which packets are saved by the capture process itself, applying at the moment of capture. Only packets that match the filter are written to the capture file, which helps reduce disk usage and load on the system during collection. Display filters, by contrast, are applied after capture to the data already stored, controlling which packets are shown in Wireshark’s UI without changing the underlying capture file. This means you can capture everything (or a lot) and then use display filters to focus on what you want to analyze, or switch filters later without needing to recapture. Capture filters use BPF syntax, while display filters use Wireshark’s own display filter syntax. For example, capture a specific port to limit what’s recorded; later, apply a display filter to view only HTTP traffic within that captured data.