Wireshark is a popular open-source network protocol analyzer that allows users to see what’s happening on their network at a granular level. With Wireshark, you can capture and inspect individual packets traveling across your network, apply filters to focus on specific types of traffic, analyze performance issues, and more. This makes it an invaluable tool for network administrators, cybersecurity professionals, and anyone who needs deep visibility into their network traffic.
In this article, we’ll explore how to use Wireshark’s powerful display filter capabilities to capture only the packets you’re interested in analyzing.
Table of Contents
An Overview of Display Filters in Wireshark
Wireshark provides two main types of filters:
- Capture filters – Applied during packet capture to determine which packets will be saved to disk. This helps reduce file size and processing overhead.
- Display filters – Applied after packet capture to filter the view of already-captured packets. This is used to focus analysis on specific packets of interest.
In this article, we’ll focus specifically on display filters.
Display filters use expressions to match against values and metadata in packet headers and payloads. Expressions can check for:
- Presence of specific protocols (e.g. HTTP, DNS)
- Field values (e.g. source/destination IP address)
- Relationships between fields (e.g. TCP flags)
- Packet contents (e.g. strings in payload)
Multiple filter expressions can be combined using Boolean logic (AND, OR, NOT) to create complex filters that isolate the traffic you care about.
Crafting Display Filter Expressions
The key to effectively using display filters is understanding the syntax and the protocol/field names available for filtering.
The basic syntax for a display filter is:
<protocol>.<field> <operator> <value>
For example, to filter for HTTP GET requests:
http.request.method == "GET"
Let’s break this down:
http
– The protocol namerequest.method
– The field we want to filter on==
– The comparison operator (equals)"GET"
– The value we want to match on
Many protocols and fields are available for filtering. Some common ones include:
ip.addr
– The IPv4 source or destination addresstcp.port
– The TCP source or destination portudp.port
– The UDP source or destination porthttp.request.uri
– The requested URI in an HTTP requestdns
– The DNS protocol
Operators like ==
(equals), !=
(not equals), >
, <
, etc. allow you to specify exactly what you’re looking for.
By chaining multiple expressions with and
and or
, you can create complex filters like:
(ip.addr == 192.168.1.1 or ip.addr == 192.168.1.2) and tcp.port == 80
This will show TCP port 80 traffic to/from 192.168.1.1 or 192.168.1.2.
Useful Display Filter Examples
Here are some useful display filter examples to get you started:
Isolate traffic from a specific IP address
ip.addr == 192.168.1.100
Show only TCP SYN packets (usually indicates new connections)
tcp.flags.syn == 1
Find HTTP GET requests with a specific string in the URI
http.request.method == "GET" and http.request.uri contains "search="
Look for DNS queries with a specific domain name
dns.qry.name == "www.example.com"
Show errors and retransmissions indicating packet loss
tcp.analysis.flags || udp.analysis.flags
Filter by TCP/UDP port numbers
tcp.port == 80 or udp.port == 53
There are many more possibilities – check out the Wireshark Display Filter Reference for protocol and field names.
The key is to understand the type of traffic you want to see, and translate that into a filter expression using the appropriate protocols and fields. Start simple and build up more complex filters as you get comfortable.
Saving and Reusing Display Filters
Manually re-typing the same display filters repeatedly can become tedious. Luckily, Wireshark provides ways to save filters for reuse.
Once you have a useful display filter, right click on the filter bar and choose “Save Filter As”. Give it a meaningful name and now you can access it from the “Filter” button.
You can also install display filters as buttons in the toolbar. After applying a filter, click the plus icon in the filter bar and fill out the details in the popup. This will add a quick-access filter button so you can enable that filter with one click.
Conclusion
Getting a handle on Wireshark’s display filters will allow you to get to the packets you actually care about much faster. You can set up filters tailored specifically to the type of traffic or network issue you want to inspect.
The key is learning the syntax, understanding which protocols and fields are relevant to your needs, and chaining multiple expressions together to isolate the packets of interest. As you work with Wireshark more, you’ll discover which display filter combinations are most useful to have on hand. So dive in and start filtering!