After working with the display filters, you may need to change an IP address, port number, or make some other change. To edit the display filter, go to the blue bookmark on the left of the display filter, and then select Manage Display Filters, which will bring up the dialog box, as shown in the following screenshot:

Once there, you can select one of the three icons:

• A plus icon to add a new display filter
• A minus icon to delete a display filter
• A copy icon to copy a display filter

When you select the plus icon and add a display filter, Wireshark will create a space in which you can enter a display filter name on the left and the actual filter on the right, as shown here:

When you select Copy, this will copy and allow you to modify the filter without changing the original filter.

As we can see, display filters can be very helpful in providing a more targeted view of the capture. However, when capturing traffic for analysis, there may be times that you only want to capture a certain type of traffic. In that case, you would use a capture filter, which we'll discuss in this next section.