While capturing traffic, or analyzing a pre-captured file, display filters help to narrow the scope and home in on specific types of traffic. It's not uncommon to have a capture with 2,000 to 3,000 packets and more, along with many different types of traffic.

When you launch Wireshark, you will see the startup screen, as shown in the following screenshot:

Across the top, below the icons, you will see the filter toolbar. Within the toolbar is the text Apply a display filter, where you can easily apply and edit display filters.

You can create a simple filter on any of the protocols Wireshark supports by using a single protocol or a logical operator. For example, if you want to see Transmission Control Protocol (TCP) or Address Resolution Protocol (ARP) traffic, then you would use the tcp || arp display filter. While you are building the filter, Wireshark will check the syntax to see whether the string is valid. The syntax checker works as follows:

• A valid display filter will turn the background green and the filter will run.
• An invalid or incomplete string will turn the background red and the filter will not run.
• An unknown display filter or string will turn the background yellow and the filter might run.

While it is common to see a green or red background, in rare cases, you may see a yellow background, as shown in the following screenshot, which indicates that you may get unexpected results:

Working with display filters can be confusing at times, so when you do get a filter that works and you would like to reuse it, you can save it to a bookmark, as discussed in the next section.