The Wireshark display filter displays packets with its available coloring options. Wireshark display filters are used to change the view of a capture file by providing the full dissection of all packets, which helps analyzing a network tracefile efficiently. For example, if a user is interested in only HTTP packets, the user can set the display filter to http, as shown in the next screenshot.

The steps to apply display filters are as follows:

Once the filter is applied, the Packet List pane will display only HTTP protocol-related packets:

Wireshark display filter can be applied or prepared from the column displayed in the Packet List pane by selecting the column, then right-clicking and going to Apply as Filter | Selected (as shown in the following screenshot) to create the filter from the source IP address 122.167.102.21:

Wireshark provides the flexibility to apply filters from the Details pane; the steps remain the same.

Wireshark also provides the option to clear the filter. To do this click on Clear (available in the Filter toolbar) to display the entire captured packet.

Filtering techniques

Capturing and displaying packets properly will help you with packet captures. For example, to track a packet exchanged between two hosts: HOSTA (10.0.0.221) and HOSTB (122.167.99.148), open the SampleCapture01.pcap file and apply the filter ip.src == 10.0.0.221 as shown:

Let's see what the highlighted sections depict:

Item	Description
1	Apply filter ip.src == 10.0.0.221.
2	The Packet List pane displays the traffic from source to destination. The source shows the constant IP address 10.0.0.221. There is no evidence as to which packet is sent from host 122.167.99.148 to host 10.0.0.221.

Now modify the filter (ip.src == 10.0.0.221) && (ip.dst == 122.167.99.148) to (ip.src == 10.0.0.221) or (ip.dst == 122.167.99.148). This will give the result shown in the following screenshot:

The highlighted sections in the preceding screenshot are explained as follows:

Item	Description
1	Applied filter (ip.src == 10.0.0.221) && (ip.dst == 122.167.99.148)
2	The source IP address (10.0.0.221) is not changed
3	The destination IP address (122.167.99.148) is not changed

Again the Packet List pane is not displaying the conversation between the two hosts.

Now modify the filter ip.addr == 122.167.99.148. The ip.addr field will match the IP header for both the source and destination address and display the conversation between the hosts. Remember to choose the destination IP address as shown:

Let's see what the highlighted sections depict:

Item	Description
1	Applied filter ip.addr == 122.167.99.148
2	The source IP is not constant; it shows the conversation between the two hosts
3	The destination IP is not constant; it shows the conversation between the two hosts

The same conversation is captured by choosing the destination MAC address using the display filter eth.addr == 06:73:7a:4c:2f:85.

Filter examples

Some common filter examples are as follows:

Filter/capture name	Filter value
Packet on a given port	tcp.port == 443
Packet on the source port	tcp.srcport=2222
SYN packet on port 443	(tcp.port == 443) && (tcp.flags == 0x0010)
The HTTP protocol	http
Based on the HTTP get method	http.request.method == "GET"
Using &&, tcp, and http	tcp && http
Checking the tcp window size	tcp.window_size <2000
No Arp used for normal traffic	!arp
The MAC address filter	eth.dst == 06:43:7b:4c:4f:85
Filter out TCP ACK	tcp.flags.ack==0
Check only RST and ACK packets	(tcp.flags.ack == 1) && (tcp.flags.reset == 1)
Filter all SNMP	Snmp
HTTP or DNS or SSL	http || dns | ssl

There is no need to memorize the filter; there is an easy way to apply it. The display filter Autocomplete feature lists all dissectors after the first period "." that have been added to the display filter, as shown in the following screenshot:

Note

It's worth checking the following links for a complete display filter reference:

• Check out the TCP display filter reference: https://www.wireshark.org/docs/dfref/t/tcp.html
• Check out this alternative protocol display filter reference: https://www.wireshark.org/docs/dfref/

The Packet List pane displays packets from the .pcap (or accepted Wireshark extensions) file or from live capture, as shown:

Let's discuss the fields shown:

Item	What is it?
	Shows different packets; each row corresponds to a different packet called a frame
1. No.	Number of packets in the current live/offline capture
2. Time	Shows time-stamped information when the packet was captured The Automatic setting for libpcap files is microseconds; all packets will be captured with the time in microseconds, as shown in the next screenshot
3. Source	The IP address of the source from where the packet originates
4. Destination	The IP address of the destination where the packet ends
5. Protocol	Wireshark will display information about the packet protocol based on the standard port
6. Length	The packet length in bytes
7. Info	Shows a high-level summary of the packet and the nature of the packet

To change the time-stamped information of the packet go to View | Time Display Format to view the available presentation formats, as shown:

The Wireshark Set Time Reference feature gives you the ability to view the time reference from the selected packet. Open the capture file http.pcap and set the time reference from packet 38. To do this, select packet 38, right-click, and select Set Time Reference (toggle), as shown in the following screenshot:

After *REF* is set, it becomes the starting point for all subsequent packet time calculations, as shown in the following screenshot:

The Packet Details pane will show the currently selected packet in a more detailed form. In the following screenshot, an HTTP packet is selected and its details are shown in the information labeled with numbers 1 to 5. Let's see what these are:

The frame protocol is only used by Wireshark. All the TCP/IP protocols sits on top of this. The frame shows at what time the packet was captured, as shown in the following screenshot:

Ethernet is the link layer protocol in the TCP/IP stack. It sends network packets from the sending host to one (Unicast) or more (Multicast/Broadcast) receiving hosts, as shown:

Useful filters in Ethernet are:

The packet structure of Ethernet frames is described in the following table:

The preamble (8 bytes) and FCS (4 bytes) are not part of the frame and Wireshark will not capture this field.

So the total Ethernet header is 14 bytes—6 bytes for the destination address, 6 bytes for the source address, and 2 bytes for the EtherType.

The Internet Protocol information relates to how the IP packet is delivered and whether it has used IPv4 or IPv6 to deliver the datagram packets.

The preceding screenshots show that an IPv4 protocol is used to deliver the datagram packet. Useful display filters in the IP protocol are:

The TCP protocol packet contains all TCP-related protocol data. If the communication is over UDP, the TCP will be replaced by the UDP, as shown in the following screenshot. The SEQ/ACK analysis will be done by Wireshark based on the sequence number and expert info will be provided:

The <<APPLICATION-LAYER>> protocol is shown if the packet contains any application protocols. As shown in the following screenshot, the selected packet 36 has HTTP protocol data. Wireshark has the ability to decode the protocol based on the standard port and present this information in the Packet Details pane in a readable (RFC-defined) format.

In the coming chapters we will discuss the application-related protocol in greater detail.

The Packet Bytes pane displays the bytes contained in the frame, with the highlighted area being set to the node selected in the Packet Details pane.