Wireshark’s display filter language allows you to control the packets the platform currently displays. You’ll commonly use display filters to check that a protocol or field is present. However, you may also use them to compare packets using logical operators, such as “and” and “or.”
It’s easy to confuse Wireshark’s display filter with its capture filter. This article explains how to use the platform’s display filter on a PC and a Mac. It also examines the difference between display filters and capture filters inside Wireshark.
How to Use Display Filter in Wireshark on a Windows PC
It’s fairly simple to use Wireshark’s display filter on a PC. The platform provides a field at the top of the screen that allows you to quickly explain which packets you want to display. You’ll typically show packets based on the following.
- Field values
- The presence of a field
- Comparisons between fields
However, the display field functionality allows more complex usage.
There are two methods for using the display filter in Wireshark on a Windows PC.
Method No. 1 – Direct Filter Typing
Assuming you simply want to display a protocol, follow these steps.
- Locate and click on the display filter toolbar in Wireshark.
- Enter the protocol’s name into the toolbar. For example, type “tcp” if you want to display all of your TCP packets.
- Press “Enter” to apply your chosen filter. Alternatively, you can click “Apply” after entering your filter expression.
You should now see Wireshark displaying packets based on the filter you chose. All of these packets remain inside their associated capture file. A display filter does not alter the content within a capture file. It displays packets relevant to the filter you apply.
If you wish to remove your applied filter, click the Clear button. This is located to the right of the display filter toolbar.
Method No. 2 – The Statistics Bar
This method is a way to apply a filter that doesn’t require you to type directly into the display filter toolbar.
- Locate “Statistics” in the top menu and click it.
- Select one of the options in the drop-down. For this walkthrough, choose “Endpoints.”
- A pop-up box should appear displaying the Endpoint report showing MAC addresses. Right-click one of the addresses and select “Apply as Filter.”
- Click “Selected.”
The syntax for your choice is automatically entered into the display filter toolbar.
How to Use Display Filter in Wireshark on a Mac
Wireshark on a Mac allows you to use a display filter to show packets based on an array of options and expressions, including protocols, field comparisons, field values, and more. There are two ways to use the display filter on a Mac.
Method No. 1 – The Display Filter Toolbar
The following steps allow you to display a simple protocol. It’s possible to use a variety of operators to create more complex filters, assuming you have an in-depth understanding of Wireshark. Follow these steps for a simple protocol display filter.
- Click the display filter toolbar at the top of the screen. This is the textbox next to the word “Filter.”
- Enter the protocol’s name and click the “Apply” button.
Wireshark displays every packet related to the entered protocol that is inside your current capture filter. Click the Clear button next to the display filter toolbar to remove your filter and display all packets again.
Method No. 2 – The Statistics Bar
If you don’t know the exact expression to type for your filter, there is a simpler method you can apply in some cases. The following example demonstrates how to create a display filter using an endpoint. It can be applied to several other types of expressions and protocols as well. Follow these steps to create an endpoint display filter.
- Click “Statistics” in the top menu bar.
- Select “Endpoints.”
- Navigate to the endpoint you wish to filter by in the pop-up box, right-click, and highlight “Apply as Filter.”
- Choose “Selected.”
You should see Wireshark automatically enter the syntax for your choice in the display filter toolbar. The platform will also display packets relevant to your chosen endpoint.
What’s the difference between a display filter and a capture filter?
Wireshark allows you to use display filters and capture filters to navigate your packets. These filters are easy to confuse. However, they serve different purposes and require different syntaxes to use.
A display filter is used when you’ve captured everything you need and want to display specific packets for analysis.
Capture filters are more limited than display filters. They reduce the size of a raw packet capture and must be set before you begin the packet capture process. You’ll typically use capture filters if you want to apply a command to return or remove specific types of packets from a capture. Capture filters can’t be modified during the capture process.
Display filters and capture filters also differ in terms of the syntax they use.
With a display filter, you use a combination of Boolean filters and operators to create a logical description of the filter you wish to create. Examples include the “==” and “!=” which mean equal and not equal, respectively.
Capture filters use a more complicated syntax that combines masks, byte offsets, and hexadecimal values with Boolean filtering language. This makes capture filters less intuitive than display filters, though it also means you can use them to apply more complex filters.
Apply Your Filters
Wireshark’s display filter functionality allows you to run quick checks on the packets in your capture. It’s ideal for large captures when you need to cut through all of the noise on your screen so you can analyze specific protocols or fields. Wireshark provides in-depth information about the various filter modifiers and expressions for the display filter via its wiki.
But now, we want to hear from you. How often do you find yourself needing to analyze specific packets in Wireshark? Do you think using the display filter will help you become more efficient when using the platform? Tell us what you think about Wireshark’s display filter in the comments below.
Follow NTN on Social Media