How to apply and edit Wireshark display filters

Comprehending display filters

While capturing traffic, or analyzing a pre-captured file, display filters help to narrow the scope and home in on specific types of traffic. It's not uncommon to have a capture with over 3,000 packets containing many different types of traffic.

When you launch Wireshark, you will see the startup screen. Across the top, below the icons, is the filter toolbar. Within the toolbar is the text Apply a display filter..., where you can easily apply and edit display filters, as shown here:

You can create a simple filter on any of the protocols Wireshark supports by using a single protocol or adding a logical operator. For example, if you want to see TCP or ARP traffic, then you would use the tcp || arp display filter.

Check out more on Learn
Wireshark here.

Wireshark's display filters can easily be modified. The following section illustrates how you can edit the display filters to customize your workflow.

Editing display filters

After working with the display filters, you may need to change an IP address, port number, or make some other change. To edit the display filter, go to the Analyze menu, and then select Display Filters..., which will bring up the following dialog box:

Once there, you can select one of the three icons as shown in the lower left-hand corner of the Display Filters dialog box:

• A plus icon will add a new display filter. When selected, Wireshark will create a space where you enter a name on the left and the actual filter on the right, as shown in Figure 7.7.
• A minus icon will delete a display filter. Select (highlight) the filter you want to remove and hit the minus sign to remove the filter from the dialog box and update the dfilters.txt file.
• A copy icon will copy a display filter. Once copied, you can modify the filter without changing the original. Wireshark will then add the new filter to the dfilters.txt file.

In the next section, we'll see how, when you do get a display filter that works and you would like to reuse it, you can save it to a bookmark.

Using bookmarks

On the right-hand side of the display filter, there is a blue toolbar icon called bookmarks. This is where Wireshark's built-in filters and any user-saved filters reside. If you click on the icon you will see options, along with several pre-loaded filters that you can use, as shown here:

When working with bookmarks, you will see configuration options that include the following:

• Save this filter: After you create a filter, you can save the filter to the bookmark by selecting this option.
• Remove this filter: This will delete the filter currently in use that is stored in the dfilters.txt file.
• Manage Display Filters: This will open the Display Filters dialog box.
• Filter Button Preferences...: This will open the Preferences dialog box with the Filter Buttons option highlighted.

Below the selections, you will see a list of filters. Even if you have never saved a filter, you will see the list, as Wireshark will show the list of filters found in the dfilters.txt file.

Once you create your own filter or select one from the drop-down list, you can press Enter or click the blue arrow on the right-hand side of the display filter to run the filter.

On the far-right side of the display filter is a drop-down arrow (caret). When selected, you can see previously used filters, as shown in the following screenshot:

A display filter can be applied before, during, or after packet capture. When you are ready to clear the filter, select the X on the right-hand side of the filter, as shown here:

As we can see, display filters can be very helpful in providing a more targeted view of the capture. However, there may be times that you only want to gather a certain type of traffic. In that case, you would use a capture filter, which we'll discuss in the next section.