Steps of Filtering and Building Display Filters in Wireshark (original) (raw)
Last Updated : 28 Apr, 2026
Wireshark supports two kinds of filters capture filters and display filters to help you record and analyze only the network traffic you need. This guide shows how to apply and build display filters to quickly find relevant packets in a capture.
- Capture filters limit what packets are recorded.
- Display filters control which captured packets are shown.
- Filters can target protocols, fields or field values.
Filter Types & Their Use
| Filter Type | When It Applies | Effect |
|---|---|---|
| Capture Filter | Before/during packet capture | Only matching packets are saved to capture file |
| Display Filter | After capture (or on loaded file) | Only matching packets are shown, others hidden |
- Capture filters are useful when you expect a lot of noise and want to record only relevant traffic.
- Display filters are flexible you can try many filters on the same capture file without re-capturing.
Steps for Applying Filters While Viewing
To apply filters while viewing packets, follow the below steps:
- Start Wireshark by selecting or opening any previously saved captured file.
- Now click on the filter box between the main toolbar and the packet list in the main Wireshark window.
- Now type the filter expression you want to apply while displaying packets.
- Press the Enter key or click on the Apply Display Filter button after entering the filter expression.
- From the above screenshot, one can notice that only packets containing the TLS protocol are being displayed.
- Similarly, you can precisely manage which packets are displayed with Wireshark's display filter language.
- They can be used to determine whether a protocol or field is present, its value or even to compare two fields to one another.
- Complex expressions can be created by combining these comparisons with logical operators like “and” and “or” and parentheses.
What Can You Filter By
The following factors can be used to apply effective filtering:
- Protocols; e.g. tcp, http, dns, etc.
- Field presence or absence: e.g. tcp.flags.syn to find TCP packets with SYN flag.
- Field values: e.g. ip.src == 192.168.0.5, frame.len > 1500
- Field comparisons: you can compare two fields or values (e.g. lengths, ports).
Wireshark Display Filter
Every field in the packet information pane can be used as a filter string to display only the packets that have that field.
- The filter string: tcp, for instance, will display all packets that contain the tcp protocol.
- Right above the column display part of Wireshark is a bar that filters the display.
- To filter the frames, IP packets or TCP segments that Wireshark shows from a pcap, type expressions here. In response to the text you have entered, the display filter in Wireshark provides a list of suggestions.
- The expression has not yet been accepted and the show filter bar is still red.
- The expression has been approved and ought to function properly if the display filter bar turns green.
- If the display filter bar turns yellow, the expression has been accepted but may not function as intended.
- Any protocol that Wireshark provides can be filtered.
- If a dissector adds an abbreviation for a field and adds the field to the tree view, you can filter on that field as well.
- The menu item View → Internals → Supported Protocols provides access to a comprehensive list of the supported protocols and fields.
Comparing Values
A variety of comparison operators can be used to create display filters that compare values.
| Operator | Meaning / Example |
|---|---|
| == (eq) | Equal, ip.src == 12.0.1.7 |
| != (ne) | Not equal, ip.src != 12.0.1.7 |
| > (gt) | Greater than, frame.len > 15 |
| < (lt) | Less than, frame.len < 64 |
| >= (ge) | Greater or equal, frame.len >= 0x100 |
| <= (le) | Less or equal, frame.len <= 0x20 |
Display Filter Field Types
| Field Type | Example |
|---|---|
| Unsigned Integer | ip.len <= 1500, ip.len <= 0x436 |
| Signed Integer | Rare, similar syntax |
| Boolean Flag | tcp.flags.syn |
| Ethernet Address | eth.addr == ff:ff:ff:ff:ff:ff |
| IPv4 Address | ip.addr == 192.168.0.1, ip.addr == 129.111.0.0/16 |
| IPv6 Address | ipv6.addr == ::1 |
| IPX Address | ipx.addr == 00000000.ffffffffffff |
| String | http.request.uri == "/index.html" |
Combining Expressions
Display Filter Logical Operations
The following table contains the full list of logical operators:
| Operator | Usage Example |
|---|---|
| and (&&) | ip.src==10.0.0.1 and tcp.flags.fin |
| or (| | ) |
| xor (^^) | tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29 |
| not (!) | not llc |
| in | http.request.method in {"GET","HEAD"} |
Miscellaneous Operators
The following table contains the list of miscellaneous operators:
| Operator | Example & Meaning |
|---|---|
| Slice [n:m] | eth.src[0:3] == 00:00:83 Matches the first 3 bytes of the source MAC address |
| Layer field#n | ip.addr#2 == 192.168.40.60 Matches the 2nd occurrence of the IP layer |
| Layer range | tcp.port#[2-4] Matches TCP ports in layers 2, 3 or 4 |
Arithmetic operators
Display Filter Arithmetic Operations
The following table contains the full list of arithmetic operators:
| Operator | Meaning |
|---|---|
| -A | Unary minus |
| A + B | Addition |
| A - B | Subtraction |
| A × B | Multiplication |
| A / B | Division |
| A % B | Modulo |
| A & B | Bitwise AND |
Curly braces are a common way to group mathematical expressions.
Functions
There are several functions to convert fields in the display filter language.
| Function | Example / Meaning |
|---|---|
| upper() | upper(http.server) convert to uppercase |
| lower() | lower(http.server) contains "apache" |
| len() | len(http.request.uri) > 100 (length in bytes) |
| count() | count(ip.addr) > 2 multiple IP fields |
| string() | string(frame.number) matches "[13579]$" |
| max() | max(tcp.srcport, tcp.dstport) <= 1024 |
| min() | min(tcp.srcport, tcp.dstport) <= 1024 |
| abs() | abs(tcp.srcport) |