Display filter macros enable you to quickly display information from a Wireshark capture file. You can save the results of your filter into a separate text file and open the file in an editor of your choice. For example, you could create an HTML report or export data into Excel for more complex analysis. To create a display filter macro, start by creating an empty text file on your hard drive with a .txt extension. Next, copy and paste any of the listed below into your .txt file followed by an @ symbol followed by the name of your filter string: ip address; protocol; port; dns request; dns response; icmp type; icmp code; tcp flags; http status code; https status code; irc status code; smtp server response; smtp server response using TLS 1.0 or higher; smtp server response using TLS 1 (this is not supported in all versions of Wireshark); smtp email address using TLS 1 or higher (this is not supported in all versions of Wireshark); domain name used in dns request (this is not supported in all versions of Wireshark).
Steps to Capture:
we have a macro called tcp_ses that is defined as "(ip.addr eq $1 and ip.addr eq $2) and (tcp.port eq $3 and tcp.port eq $4)." Typing "${tcp ses10.10.10.10, 10.0.0.1, 1234, 4567}" into the display filter box would be equivalent to entering "(ip.addr eq 10.10.10.10 && ip.addr eq 10.0.0.1) && (tcp.port eq 1234 && tcp.port eq 4567)".
Display Filter Macros:
Step 1: Open Wireshark and select the adapter to capture packets. If this example, we have to select Wi-Fi.
Step 2: Go to Analyze tab and then go to Display Filter Macros. You’ll see two columns, Name and Text. In the name section, you can type any name for the filter, but it is recommended to keep a name related to what type of filter you want. In the next section, you can type what filter you want to set up as a macro.
Step 3: Click on + icon to add a macro display filter. Just to show how to make a macro, I’ve taken a very simple example of ip.addr. In the name section, I have inputted IPA and in the next section i.e., Text I have inputted ip.addr==$1 and click on “OK”. Here $1 is a variable which means this macro can store only one value.
To call the macro, there is a syntax. So, given the syntax, we can call our macro with ${IPA: 127.0.0.1}.
Syntax:
${variable name: Value}
Step 4: As you can see, the background of the filter went green, which means it is a valid calling of a macro.
Step 5: Let’s try with more advanced Wireshark filters so that you can get to know why macros are very important for complex filters.
Complex Filter Example 1:
http.request.method == ” “
It will filter all the requests for GET method. You can add any request method like GET, POST, PUT, DELETE, etc. Call the macro by inputting ${request: GET} into the Wireshark filter. In this case, the filter went green.
Complex Filter Example 2:
string(frame.number) matches “[ ]$”
This filter will accept values like even numbers like “02468” or odd numbers like “13759”. Now call this filter macro by ${frames: 02468}. And this will arrange the Serial No having values in even numbers.