In Wireshark, we can filter packets in two ways either using a capture filter or a display filter. Capture filters are used for filtering packets while capturing. Display filters search and filter packets to display only those packets that match with the given filter primitive. When we use a Display filter after running a packet capture it’ll just display whatever we typed in the Display Filter dialogue box else part is simply omitted until we clear the filter text box and then everything appears back. It allows us to focus on the packets we are interested in while concealing the others. We can filter packets based on :
- Protocols
- Presence/Absence of a field
- Values of fields
Steps For Applying Filters While Viewing:
To apply filters while viewing packets follow the below steps :
- Start the Wireshark by selecting or opening any previously saved captured file.
- Now click on the filter box between the main toolbar and the packet list in the main Wireshark window.
- Now type the filter primitive you want to apply while displaying packets.
- Press enter key or click on the apply display filter button after entering the filter expression.
From the above screenshot, one can notice that only packets containing the TLS protocol are being displayed.
The display filter only changes the display of the capture file while all packets remain in the same capture file. The packets will become visible again if we clear the display filter from the filter box. If we are familiar with Wireshark’s filter primitive and know what labels we use in our filters it becomes easy to type a filter string. But if we are unfamiliar and new to Wireshark then it becomes very confusing to try to figure out what to type. The “Display Filter Expression” dialogue box helps us to learn how to write Wireshark’s display filter primitive.