Display filter macros are used to create shortcuts for complex display filters. It enables us to quickly display information from a Wireshark capture file. The results of the filter can be saved into a separate text file and can open in any editor of choice. For example, we can create an HTML report or export data into Excel for more complex analysis.
Defining/Saving Filter Macros:
We can define a filter macro in Wireshark and tag it to use later. This saves time in recalling and writing some commonly used and complex display filters every time when we want to use them. For example, we define a display filter macro named test_1 whose text is :
ip.src == $1 and ip.dst == $2 and tcp.srcport == $3 and tcp.dstport == $4
Now instead of typing this whole expression in the display filter box, we can just type :
${test_1:10.0.0.24;10.10.0.2;8888;8830}
To define and save filter macros, follow the steps below:
Step 1: Start the Wireshark by selecting the network we want to analyze or opening any previously saved captured file.
Step 2: Now go into the Wireshark and click on Analyze → Display Filter Macros menu or toolbar item.
This will bring up Wireshark’s “Display Filter Macros” dialogue box.
Step 3: To add a new filter macro, click on the “+” button in the bottom-left corner of the dialogue box. A new row will appear in the Display Filter Macros table.
Step 4: Now we enter the name of the macro in the Name column and the filter macros in the Text column.
Step 5: Now we click on the OK button in the bottom-right corner to save the macros.
The replacement text for the macro uses $1, $2, $3, and $4 as the input arguments.