Copy the display filter into the clipboard, then close and restart Wireshark. After that, reload the file. Was the whole capture saved or just the displayed packets?

Wireshark's display filter does not change the saved packet capture; it only alters the temporary view. When Wireshark is closed and reopened, the entire capture with all the packets is still present, and the filter must be reapplied to affect the display.

Explanation:

When you are using Wireshark and apply a display filter, it does not permanently modify the underlying packet capture file. Instead, it temporarily changes what is being displayed in the Wireshark interface. If you copy the display filter, close Wireshark, and then restart the program and reload the capture file, the entire capture with all the packets is still intact and has been saved. The display filter just changes the view of the packets, not the actual saved data. So, when you close and reopen Wireshark, the filter is no longer active until you paste it again into the filter bar and apply it.