Wireshark provides a very wide range of protocol-specific display filters that can be extremely useful for analysis activities by allowing you to focus on specific packets, based on criteria that you define. You can filter on just the traffic that you want to see or filter undesired traffic out of view. Display filters are one of the most helpful features of Wireshark, so they warrant becoming very familiar with.
Display filters can be created in several ways:
- By applying display filters from the Display Filter window
- By typing in the display filter syntax (using autocomplete)
- By applying display filters from the Conversations (or Endpoints) window
- By applying saved display filters from Filter Expression Buttons
- Using the Expressions button for assistance creating filters
- Using right-click menus on specific packet fields
You can open the Display Filter window by selecting Display Filters from the Analyze menu, by clicking on the Edit/apply display filter icon on the icon bar, or by just clicking the Filters button next to the display filter textbox on the display filter bar.
The Display Filter window looks and functions in a similar fashion to the capture filters window, as shown in the following screenshot. You can create a new custom display filter to be added to this window by entering a filter name and the appropriate syntax and clicking on New or clicking an existing filter. Click on New and modify/rename as per your requirements.
Display filters listed in this window were saved in a dfilters file in the Wireshark installation directory for the default profile and in the appropriate Personal configuration directory when custom profiles are in use.
When you apply a display filter, the Status Bar at the bottom of the Wireshark user interface screen reflects the total number of packets and the packets displayed, as illustrated in the following screenshot:
The default selection of capture filters from the Display Filter window shown previously provides examples of basic capture filter syntax. Additional examples of display filter syntax are outlined in the following table:
|
Description |
Syntax |
Examples |
|---|---|---|
|
Basic protocols |
|
Same as syntax examples |
|
Display filter comparison operators |
|
|
|
Protocol-specific extensions |
protocol-specific |
|
|
Classless InterDomain Routing (CIDR) notation on IPv4 addresses |
|
|
Note
Using the != operator on expressions such as eth.addr, ip.addr, tcp.port, and udp.port and alike may not work as expected as there are usually two addresses and ports in a packet, and the ! operator will not match both instances.
Use !(ip.addr == x.x.x.x) or a similar syntax for these types of filters.
More information and examples of display filters can be found on the Wireshark wiki at http://wiki.wireshark.org/DisplayFilters and protocol-specific display filter syntax is included in the reference information found at http://wiki.wireshark.org/ProtocolReference.
You can type a display filter syntax directly into the Filter textbox in the display filter bar, and then click on Apply to apply the filter or Clear to clear a filter and start over.
A helpful feature of typing the display filter syntax into the textbox is the autocomplete function. Upon typing a protocol and then a period (.), the textbox will display a list of available protocol-related extensions that can be selected and then the appropriate comparison operator and value added before clicking on Apply.
The textbox also has a color-coded background indicating the display filter syntax status. If the syntax is incorrect or incomplete, the background is red and a correct filter results in a green background. A yellow background is a warning that the entered syntax may not work as expected.