animind - Fotolia


How to manage Wireshark display filters

Wireshark display tools such as capture and packet filtering offer critical insights into network functioning, but only if properly understood and managed.

Wireshark is one of the top tools for troubleshooting network issues. It comes with many features and options that can help analyze data. However, on a busy network there can be so much traffic that it's simply impossible to scroll through gigabits of data to find issues with specific systems or protocols. This is where capture and display filters come into play.

Capture filters are used when you know in advance what you are looking for. They allow you to predefine the type of traffic captured. As an example, you could set a capture filter to capture only HTTP traffic. Display filters are used after the traffic is captured. Although you might have captured all types of traffic, you could apply a display filter to show only Address Resolution Protocol (ARP) packets if you think someone has attempted ARP cache poisoning. Regardless of the filter type you use, they allow you to ignore things that are not of interest.

Wireshark display and capture filters are slightly different. Wireshark display filters allow you to focus on things of interest and to ignore things you don't care about. They are applied in the Filter edit box near the top left of the Wireshark display window, just beneath the toolbar as shown in Figure 1. There is also a history option that allows you to select filters that you have already used in the past.

Wireshark display filters
Figure 1 - Wireshark display filters

You can also use the Wireshark display filter dialog box to select a number of predefined filters or create new ones. This is an efficient way to access the most commonly used WireShark display filters for troubleshooting security issues and concerns.

Let's look at a few basic filters and discuss the effect of each:

ip.addr ==

This filter displays the address I have specified as either the source or the destination address of every packet displayed.

Now, let's look at another IP address filter.

ip.src ==

Constructing good filters is half of the battle; the other half is understanding the underlying protocols.

This Wireshark display filter shows only the packets that come from this specific address. You are not seeing things with that address as the destination. You could filter on ip.dst if you were just interested in things going to that address.

Now let's look at another. 

“dns && ip.src ==”

This filter will only display Domain Name System queries originating from the address specified. This provides a good example of the and rule. You can combine rules with the “&&” operator.  Be careful to use two ampersands and not just one.  In some cases, a single ampersand is valid and it will likely not yield the result you expect; it implies a logical and operation is to be performed. 

Now, let's look at the not operator.

“! Ip.src ==”

The exclamation mark is the not operator that causes negation of the expression -- sometimes referred to as a "bang."  Now, change your Wireshark display filter to say:

ip.src !=

Notice that the difference is subtle. The two filters are not equivalent. In the first, it means to begin by checking the IP source address to see if it is equal to the one provided then to negate that result. The second filter shows anything unless it comes from the address, which includes non-IPv4 traffic like ARP, Spanning Tree Protocol, and IPv6 as well.

In closing, what's most important to understand is that Wireshark simply collects the data, and it's up to you to understand and know what you are looking for and how to extract it. Constructing good Wireshark filters is half of the battle; the other half is understanding the underlying protocols so you know what to look for. 

Next Steps

Key Wireshark features to know

How to write Wireshark network traffic filters

Working on packet analysis with Wireshark

This was last published in December 2015

Dig Deeper on Network management and monitoring