How To Apply Display Filters to Capture Specific Packets in Wireshark Network Sniffer Tool

Wireshark is a popular open-source network protocol analyzer that allows users to see what’s happening on their network at a granular level. With Wireshark, you can capture and inspect individual packets traveling across your network, apply filters to focus on specific types of traffic, analyze performance issues, and more. This makes it an invaluable tool for network administrators, cybersecurity professionals, and anyone who needs deep visibility into their network traffic.

In this article, we’ll explore how to use Wireshark’s powerful display filter capabilities to capture only the packets you’re interested in analyzing.

An Overview of Display Filters in Wireshark

Wireshark provides two main types of filters:

  • Capture filters – Applied during packet capture to determine which packets will be saved to disk. This helps reduce file size and processing overhead.
  • Display filters – Applied after packet capture to filter the view of already-captured packets. This is used to focus analysis on specific packets of interest.

In this article, we’ll focus specifically on display filters.

Display filters use expressions to match against values and metadata in packet headers and payloads. Expressions can check for:

  • Presence of specific protocols (e.g. HTTP, DNS)
  • Field values (e.g. source/destination IP address)
  • Relationships between fields (e.g. TCP flags)
  • Packet contents (e.g. strings in payload)

Multiple filter expressions can be combined using Boolean logic (AND, OR, NOT) to create complex filters that isolate the traffic you care about.

Crafting Display Filter Expressions

The key to effectively using display filters is understanding the syntax and the protocol/field names available for filtering.

The basic syntax for a display filter is:

<protocol>.<field> <operator> <value>

For example, to filter for HTTP GET requests:

http.request.method == "GET"

Let’s break this down:

  • http – The protocol name
  • request.method – The field we want to filter on
  • == – The comparison operator (equals)
  • "GET" – The value we want to match on

Many protocols and fields are available for filtering. Some common ones include:

  • ip.addr – The IPv4 source or destination address
  • tcp.port – The TCP source or destination port
  • udp.port – The UDP source or destination port
  • http.request.uri – The requested URI in an HTTP request
  • dns – The DNS protocol

Operators like == (equals), != (not equals), >, <, etc. allow you to specify exactly what you’re looking for.

By chaining multiple expressions with and and or, you can create complex filters like:

(ip.addr == or ip.addr == and tcp.port == 80

This will show TCP port 80 traffic to/from or

Useful Display Filter Examples

Here are some useful display filter examples to get you started:

Isolate traffic from a specific IP address

ip.addr ==

Show only TCP SYN packets (usually indicates new connections)

tcp.flags.syn == 1

Find HTTP GET requests with a specific string in the URI

http.request.method == "GET" and http.request.uri contains "search="

Look for DNS queries with a specific domain name == ""

Show errors and retransmissions indicating packet loss

tcp.analysis.flags || udp.analysis.flags

Filter by TCP/UDP port numbers

tcp.port == 80 or udp.port == 53

There are many more possibilities – check out the Wireshark Display Filter Reference for protocol and field names.

The key is to understand the type of traffic you want to see, and translate that into a filter expression using the appropriate protocols and fields. Start simple and build up more complex filters as you get comfortable.

Saving and Reusing Display Filters

Manually re-typing the same display filters repeatedly can become tedious. Luckily, Wireshark provides ways to save filters for reuse.

Once you have a useful display filter, right click on the filter bar and choose “Save Filter As”. Give it a meaningful name and now you can access it from the “Filter” button.

You can also install display filters as buttons in the toolbar. After applying a filter, click the plus icon in the filter bar and fill out the details in the popup. This will add a quick-access filter button so you can enable that filter with one click.


Getting a handle on Wireshark’s display filters will allow you to get to the packets you actually care about much faster. You can set up filters tailored specifically to the type of traffic or network issue you want to inspect.

The key is learning the syntax, understanding which protocols and fields are relevant to your needs, and chaining multiple expressions together to isolate the packets of interest. As you work with Wireshark more, you’ll discover which display filter combinations are most useful to have on hand. So dive in and start filtering!