Wireshark Display Filter
Every field in the packet information pane can be used as a filter string to display only the packets that have that field. The filter string: tcp, for instance, will display all packets that contain the tcp protocol.
Right above the column display part of Wireshark is a bar that filters the display. To filter the frames, IP packets, or TCP segments that Wireshark shows from a pcap, type expressions here. In response to the text you have entered the display filter, Wireshark provides a list of suggestions. The expression has not yet been accepted, and the show filter bar is still red. The expression has been approved and ought to function properly if the display filter bar becomes green. The expression has been accepted if the display filter bar turns yellow, but it probably won’t function as intended.
Any protocol that Wireshark provides can be filtered. If a dissector adds an abbreviation for a field and adds the field to the tree view, you can filter on that field as well. The menu item View → Internals → Supported Protocols provides access to a comprehensive list of the supported protocols and fields.
Comparing Values:
A variety of comparison operators can be used to create display filters that compare values. Use ip.addr==192.168.0.1, for instance, to only display packets to or from this IP address. The following table contains the full list of comparison operators:
| Sr. No. | English | C-like description | Description and Example |
|---|---|---|---|
|
1. |
eq |
== |
Equal (any if more than one) E.g., ip.src == 12.0.1.7 |
|
2. |
ne |
!= |
Not equal (all if more than one) E.g., ip.src != 12.0.1.7 |
|
3. |
gt |
> |
Greater than E.g., frame.len > 15 |
|
4. |
lt |
< |
Less than E.g., frame.len < 64 |
|
5. |
ge |
>= |
Greater than or equal to E.g., frame.len ge 0x100 |
|
6. |
le |
<= |
Less than or equal to E.g., frame.len <= 0x20 |
Display Filter Field Types:
| Sr. No. | Type | Example |
|---|---|---|
|
1. |
Unsigned integer (8-bit, 16-bit, 24-bit, 32-bit) |
Integers can be expressed using decimal, octal, or hexadecimal notation. These display filters are comparable: ip.len le 1500 |
|
2. |
Signed integer (8-bit, 16-bit, 24-bit, 32-bit) |
__ |
|
3. |
Boolean |
Only when a boolean field’s value is true is included in the protocol decode. To exemplify, the SYN flag must be present in a TCP segment header for tcp.flags.syn to be present and true. As a result, the filter expression tcp.flags.syn will only choose packets for which this flag exists, i.e., TCP segments for which the SYN flag is present in the segment header. |
|
4. |
Ethernet address (6 bytes) |
A colon (:), a dot (.), or a dash (-) are all acceptable separators, and there can be one or two bytes between separators: eth.addr == ff:ff:ff:ff:ff:ff |
|
5. |
IPv4 address |
ip.addr == 192.168.0.1 An IPv4 address’ subnet membership can be checked using the Classless Inter Domain Routing (CIDR) notation. As an illustration, the following display filter will find every packet in the 129.111 Class-B network: ip.addr == 129.111.0.0/16 |
|
6. |
IPv6 address |
ipv6.addr == ::1 |
|
7. |
IPX address |
ipx.addr == 00000000.ffffffffffff |
|
8. |
String (text) |
http.request.uri == “http://www.wireshark.org/” |
Steps of Building Display Filter Expressions in Wireshark
You can precisely manage which packets are displayed with Wireshark’s display filter language. They can be used to determine whether a protocol or field is present, its value, or even to compare two fields to one another. Complex expressions can be created by combining these comparisons with logical operators like “and” and “or” and parentheses.
Contact Us