wireshark display filter usage

Filtering packets while viewing

-------------------------------

After capturing packets or loading some network traffic from a file, Wireshark will display the packet data immediately on the screen.

 

Using display filters, you can choose which packets should (not) be shown on the screen. This is useful to reduce the "noise" usually on the network, showing only the packets you want to. So you can concentrate on the things you are really interested in. 

 

The display filter will not affect the data captured, it will only select which packets of the captured data are displayed on the screen.

 

Everytime you change the filter string, all packets will be reread from the capture file (or from memory), and processed by the display filter "machine". Packet by packet, this "machine" is asked, if this particular packet should be shown or not.

 

Wireshark offers a very powerful display filter language for this. It can be used for a wide range of purposes, from simply: "show only packets from a specific IP address", or on the other hand, to very complex filters like: "find all packets where a special application specific flag is set".

 

Note: This display filter language is different from the one used for the Wireshark capture filters!

 

-------------------------------------------------

 

Some common examples

--------------------

Example Ethernet: display all traffic to and from the Ethernet address 08.00.08.15.ca.fe

 

eth.addr==08.00.08.15.ca.fe

 

Example IP: display all traffic to and from the IP address 192.168.0.10

 

ip.addr==192.168.0.10

 

Example TCP: display all traffic to and from the TCP port 80 (http) of all machines

 

tcp.port==80

 

Examples combined: display all traffic to and from 192.168.0.10 except http

 

ip.addr==192.168.0.10 && tcp.port!=80

 

Beware: The filter string builds a logical expression, which must be true to show the packet. The && is a "logical and", "A && B" means: A must be true AND B must be true to show the packet (it doesn't mean: A will be shown AND B will be shown). 

 

-------------------------------------------------

 

Hint

----

Filtering can lead to side effects, which are sometimes not obvious at first sight. Example: If you capture TCP/IP traffic with the primitive "ip", you will not see the ARP traffic belonging to it, as this is a lower protocol layer than IP!