Once you’ve used Wireshark to capture network traffic, you might end up with a lot of data. Display filters are a great tool that lets you choose which packets you want to see within the data you’ve already captured. Unlike capture filters, which you use before you record the data to limit what gets saved, display filters let you hide the packets you’re not interested in and focus on the specific traffic you need for your analysis. It’s important to know that display filters don’t delete any of the captured data; they just change what’s currently shown in the top window (the Packet List Pane).
How They’re Written
Display filters use a different language than capture filters and are designed to work with the detailed information Wireshark pulls out of each packet (which you see in the middle window, the Packet Details Pane). Here are some basic ideas:
- Fields: Display filters work with the different pieces of information Wireshark identifies in a packet (like
ip.srcfor the sender’s IP address,tcp.portfor the TCP port number,http.request.methodfor the type of web request,dns.flags.responseto see if a DNS packet is a reply, etc.). - Operators: These are symbols used to create conditions based on the values of these fields:
==oreq: Equal to!=orne: Not equal to>orgt: Greater than<orlt: Less than>=orge: Greater than or equal to<=orle: Less than or equal tocontains: Checks if a field includes a specific word or series of bytes.matches: Checks if a field matches a more complex pattern (regular expression).
- Logical Operators: These combine multiple conditions:
andor&&: Both conditions must be true.oror||: At least one of the conditions must be true.notor!: The following condition must be false.
Examples of Common Display Filters
- Show traffic from a specific IP address:
ip.src == 192.168.1.100 - Show traffic going to a specific IP address:
ip.dst == 10.0.0.5 - Show traffic on a specific TCP port (like web traffic on port 80):
tcp.port == 80 - Show UDP traffic on a specific port (like DNS lookups on port 53):
udp.port == 53 - Show ICMP traffic:
icmp - Show traffic between two specific computers:
ip.addr == 192.168.1.10 and ip.addr == 10.0.0.5 - Show HTTP GET requests (when you’re just asking for a webpage):
http.request.method == "GET" - Show DNS queries (when a computer is asking for the IP address of a website):
dns.flags.response == 0 - Show TCP packets that are starting a connection (with the SYN flag set):
tcp.flags.syn == 1 - Show packets that contain a specific word in the data:
data.contains("password")
Applying Display Filters:
You type display filters into the Filter Toolbar, which is usually located below the main toolbar. After you type your filter, press Apply (the button with the right arrow) to make it active. Only the packets that match your filter will be shown in the top window (the Packet List Pane). The bar at the bottom of the Wireshark window will tell you how many of the total captured packets are currently being displayed.
Saving Display Filters:
If you have display filters that you use often, you can save them for quick access by clicking the “Save” button (often a bookmark icon) in the Filter Toolbar or by going to Analyze > Display Filters…. This lets you build a list of your favorite filters.
Main Differences Between Capture and Display Filters:
| Feature | Capture Filter | Display Filter |
|---|---|---|
| When It’s Used | Applied while Wireshark is recording | Applied after Wireshark has finished recording |
| What It Does | Limits the amount of data that is saved | Chooses which data to show in the display |
| How It’s Written | Uses the BPF language | Uses Wireshark’s own language based on packet details |
| Computer Resources | Reduces how much CPU, memory, and disk space are used during recording | Only affects what you see; all the data is still there |
| Data Loss | Packets that don’t match the filter are never saved | No data is lost; packets are just hidden from view |
