Display filters search and change the display of only those packets that match with the given filter primitive. When we use a Display filter after running a packet capture it’ll just display whatever we typed in the Display Filter dialogue box else part is simply omitted until we clear the filter text box and then everything appears back.
When we get familiar with Wireshark’s filter primitive and know what labels we use in our filters it becomes easy to type a filter string. But if we are unfamiliar and new to Wireshark then it becomes very confusing to try to figure out what to type. The “Display Filter Expression” dialogue box helps us to learn how to write Wireshark’s display filter primitive.
Note: When we get the syntax right then we will see that the background turns green. Now if we type something wrong then the background turns to be red. That tells us that Wireshark does not recognize that as an appropriate display filter syntax.
Wireshark Display Filter Expression Dialog Box :
To open Wireshark’s Display Filter Expression Dialog Box follow the below steps :
- Start the Wireshark by selecting the network we want to analyze or opening any previously saved captured file.
- Now go into the Wireshark and click on Analyze → Display Filter Expression menu or toolbar item.
This will open up the Display Filter Expression dialogue box.
The following are the fields available in the Display Filter Expression dialogue box.
- Field Name: It has all the available protocols listed from which we can select a protocol field from the protocol field tree. We can search for a specific protocol just by entering the first few letters of the protocol name in the search box. There are many field names available for filtering for that protocol.
- Relation: We can select a relation from the list of available relations. The “is present” is a unary relation that is either true/false based on whether the selected field is present or not. While the other listed relations are binary which require additional data like some value or range to complete.
- Value: We can enter a valid value in the Value text box in case we are using any binary relation. The Value will also indicate the type of value for the Field Name.
- Predefined Values: It will display the pre-defined values if it is available for the selected protocol.
- Range (offset: length): A range of integers or a group of ranges, such as 1-12 or 39-42,98-2000.