56tvmao: How-to instructions you can trust. Linux How to Use Display Filters in Wireshark

How to Use Display Filters in Wireshark

Wireshark is a GUI-based network packet analyser that lets you inspect packet data from a live network as well as from a previously captured file. Although it’s a very powerful tool, a common problem that newbies face is that it displays so much data that it becomes really difficult for them to pinpoint the actual information they are looking for. This is where Wireshark’s display filters help.

Note – If you are completely new to Wireshark, it is recommended that you first go through its basic tutorial.

Display filters

Here is an example of a live capture in Wireshark:

Note that a major part of the GUI is used to display information (like Time, Source, Destination, and more) about all the incoming and outgoing packets. To filter this information as per your requirement, you need to make use of the Filter box present at the top of the window.

1. Filter information based on protocol

To filter results based on a specific protocol, just write its name in the filter box and hit enter. For example, the following screen shot displays information related to the HTTP protocol:

Observe that the Protocol column contains only HTTP entries. If information related to more than one protocol is required, enter the protocol names separated by a double pipe (or a logical OR operator) ||. Here is an example:

http || arp || icmp

2. Filter information based on IP address

To filter results based on source IP, use the ip.src filter. Here is an example:

ip.src==50.116.24.50

Similarly, use ip.dst to filter results based on destination IP address. To display both source and destination packets with a particular IP, use the ip.addr filter. Here is an example:

ip.addr==50.116.24.50

Observe that the packets with source or destination IP address as 50.116.24.50 are displayed in the output.

To exclude packets with a specific IP address, use the != operator. Here is an example:

ip.src!=50.116.24.50

3. Filter information based on port

You can also filter the captured traffic based on network ports. For example, to display only those packets that contain TCP source or destination port 80, use the tcp.port filter. Here is an example:

tcp.port==80

Similarly, you can use tcp.srcport and tcp.dstport to separately filter results based on TCP source and destination ports, respectively.

Wireshark also has the ability to filter results based on TCP flags. For example, to display on those TCP packets that contain SYN flag, use the tcp.flags.syn filter. Here is an example:

Similarly, you can also filter results based on other flags like ACK, FIN, and more, by using filters like tcp.flags.ack, tcp.flags.fin, and more, respectively.

4. Some other useful filters

Wireshark displays the data contained by a packet (which is currently selected) at the bottom of the window. Sometimes, while debugging a problem, it is required to filter packets based on a particular byte sequence. You can easily do that using Wireshark.

For example, TCP packets containing the 00 00 01 byte sequence can be filtered using the following way:

tcp contains 00:00:01

Moving on, just like you can filter results based on IP addresses (explained earlier), you can also filter results based on MAC addresses, using the eth.addr filter. For example, to see all the traffic coming in and out of a machine with mac address, say AA:BB:CC:DD:EE:FF, use the following filter command:

eth.addr == AA:BB:CC:DD:EE:FF

Conclusion

We’ve barely scratched the surface here, as Wireshark has a lot more to offer. For more information on Wireshark display filters, visit the Wireshark official website or the Wiki Wireshark website. If you have some doubt or query, leave a comment below.


Himanshu Arora

Himanshu Arora is a freelance technical writer by profession but a software programmer and Linux researcher at heart. He covers software tutorials, reviews, tips/tricks, and more. Some of his articles have been featured on IBM developerworks, ComputerWorld, and in Linux Journal.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox

Sign up for all newsletters.
By signing up, you agree to our Privacy Policy and European users agree to the data transfer policy. We will not share your data and you can unsubscribe at any time. Subscribe

Related Post