You can precisely manage which packets are displayed with Wireshark’s display filter language. They can be used to determine whether a protocol or field is present, its value, or even to compare two fields to one another. Complex expressions can be created by combining these comparisons with logical operators like “and” and “or” and parentheses.
Wireshark Display Filter:
Every field in the packet information pane can be used as a filter string to display only the packets that have that field. The filter string: tcp, for instance, will display all packets that contain the tcp protocol.
Right above the column display part of Wireshark is a bar that filters the display. To filter the frames, IP packets, or TCP segments that Wireshark shows from a pcap, type expressions here. In response to the text you have entered the display filter, Wireshark provides a list of suggestions. The expression has not yet been accepted, and the show filter bar is still red. The expression has been approved and ought to function properly if the display filter bar becomes green. The expression has been accepted if the display filter bar turns yellow, but it probably won’t function as intended.
Any protocol that Wireshark provides can be filtered. If a dissector adds an abbreviation for a field and adds the field to the tree view, you can filter on that field as well. The menu item View → Internals → Supported Protocols provides access to a comprehensive list of the supported protocols and fields.
Comparing Values:
A variety of comparison operators can be used to create display filters that compare values. Use ip.addr==192.168.0.1, for instance, to only display packets to or from this IP address. The following table contains the full list of comparison operators:
| Sr. No. | English | C-like description | Description and Example |
|---|---|---|---|
|
1. |
eq |
== |
Equal (any if more than one) E.g., ip.src == 12.0.1.7 |
|
2. |
ne |
!= |
Not equal (all if more than one) E.g., ip.src != 12.0.1.7 |
|
3. |
gt |
> |
Greater than E.g., frame.len > 15 |
|
4. |
lt |
< |
Less than E.g., frame.len < 64 |
|
5. |
ge |
>= |
Greater than or equal to E.g., frame.len ge 0x100 |
|
6. |
le |
<= |
Less than or equal to E.g., frame.len <= 0x20 |
Display Filter Field Types:
| Sr. No. | Type | Example |
|---|---|---|
|
1. |
Unsigned integer (8-bit, 16-bit, 24-bit, 32-bit) |
Integers can be expressed using decimal, octal, or hexadecimal notation. These display filters are comparable: ip.len le 1500 |
|
2. |
Signed integer (8-bit, 16-bit, 24-bit, 32-bit) |
__ |
|
3. |
Boolean |
Only when a boolean field’s value is true is included in the protocol decode. To exemplify, the SYN flag must be present in a TCP segment header for tcp.flags.syn to be present and true. As a result, the filter expression tcp.flags.syn will only choose packets for which this flag exists, i.e., TCP segments for which the SYN flag is present in the segment header. |
|
4. |
Ethernet address (6 bytes) |
A colon (:), a dot (.), or a dash (-) are all acceptable separators, and there can be one or two bytes between separators: eth.addr == ff:ff:ff:ff:ff:ff |
|
5. |
IPv4 address |
ip.addr == 192.168.0.1 An IPv4 address’ subnet membership can be checked using the Classless Inter Domain Routing (CIDR) notation. As an illustration, the following display filter will find every packet in the 129.111 Class-B network: ip.addr == 129.111.0.0/16 |
|
6. |
IPv6 address |
ipv6.addr == ::1 |
|
7. |
IPX address |
ipx.addr == 00000000.ffffffffffff |
|
8. |
String (text) |
http.request.uri == “http://www.wireshark.org/” |
Combining Expressions:
Display Filter Logical Operations:
The following table contains the full list of logical operators:
|
Sr. No. |
English |
C-like |
Description and Example |
|---|---|---|---|
|
1. |
and |
&& |
Logical AND E.g., ip.src==20.0.0.7 and tcp.flags.fin |
|
2. |
or |
|| |
Logical OR E.g., ip.src==20.0.0.7 or ip.src==192.1.8.1 |
|
3. |
xor |
^^ |
Logical XOR E.g., tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29 |
|
4. |
not |
! |
Logical NOT E.g., not llc |
|
5. |
[…] |
|
Subsequence |
|
6. |
in |
|
Set Membership E.g., http.request.method in {“HEAD”, “GET”}. |
Miscellaneous Operators:
The following table contains the list of miscellaneous operators:
| Sr. No. | Operator | Description with Example |
|---|---|---|
|
1. |
Slice Operator |
You can choose a subsequence of a sequence in Wireshark in a variety of complex ways. A set of brackets [] carrying a list of range specifiers separated by commas can be placed after a label. E.g., eth.src[0:3] == 00:00:83 The aforementioned example specifies a single range using the n:m format. In this instance, n denotes the starting offset, while m denotes the given range’s length. |
|
2. |
Layer Operator |
The layer operator (#), followed by a decimal number, can be used to limit a field to a particular layer in the protocol stack: E.g., ip.addr#2 == 192.168.40.60 Only the inner (second) layer of the packet is matched. For more sophisticated ranges, the same syntax as for slices applies: E.g., tcp.port#[2-4] denotes layers 2, 3, or 4 inclusive. To distinguish a layer range from a slice, the hash symbol is required. |
Arithmetic operators:
Display Filter Arithmetic Operations:
The following table contains the full list of arithmetic operators:
| Sr. No. | Name | Syntax | Description |
|---|---|---|---|
| 1. | Unary minus | -A | Negation of A |
| 2. | Addition | A + B | Add B to A |
| 3. | Subtraction | A – B | Subtract B from A |
| 4. | Multiplication | A * B | Multiply A times B |
| 5. | Division | A / B | Divide A by B |
| 6. | Modulo | A % B | Remainder of A divided by B |
| 7. | Bitwise AND | A & B | Bitwise AND of A and B |
Curly braces are a common way to arrange mathematical expressions.
Functions:
There are several functions to convert fields in the display filter language.
|
Sr. No. |
Function |
Description and Example |
|---|---|---|
|
1. |
upper |
Given string field is converted to uppercase. E.g., upper(http.server) |
|
2. |
lower |
Given string field is converted to lowercase. E.g., lower(http.server) contains “apache”. |
|
3. |
len |
It returns the byte length of a string as output. E.g., len(http.request.uri) > 100 len function outputs the string length value in bytes instead of multibyte characters. |
|
4. |
count |
It returns the number (count) of field occurrences in a frame. E.g., count(ip.addr) > 2 in case of ICMP in which a single packet might contain more number of addresses. |
|
5. |
string |
Given non-string field is converted to a string. E.g., To match odd frame numbers: string(frame.number) matches “[13579]$” |
|
6. |
max |
It returns the maximum value for the arguments. It takes any number of arguments of the same type and returns the maximum (largest) value. E.g., max(tcp.srcport, tcp.dstport) <= 1024 |
|
7. |
min |
It returns the minimum value for the arguments. It takes any number of arguments of the same type and returns the minimum (smallest) value. E.g., min(tcp.srcport, tcp.dstport) <= 1024 |
|
8. |
abs |
It returns the absolute value for the argument. E.g., abs(tcp.srcport) |
