In this chapter, we will learn how to work with display filters. Display filters are filters that we apply after capturing the data (filtered by capture filters or not), and when we wish to display only a part of the data.

Display filters can be implemented in order to locate various types of data:

• Parameters, such as IP addresses, TCP or UDP port numbers, URLs, or server names
• Conditions, such as packet lengths shorter than TCP port ranges
• Phenomena, such as TCP retransmissions, duplicate ACKs and others, various protocol error codes, flag existence, and so on
• Various applications parameters, such as Short Message Service (SMS) source and destination numbers, Server Message Block (SMB), Simple Mail Transfer Protocol (SMTP), server names, and so on

Any data that is sent over the network can be filtered, and once filtered, create statistics and graphs according to it.

As we will describe in the recipes in this chapter, there are various ways to configure display filters, from predefined menus, the packet pane, or by writing the syntax directly.