11.8. Display Filter Macros

Display Filter Macros are a mechanism to create shortcuts for complex filters. For example defining a display filter macro named tcp_conv whose text is

(ip.src == $1 and ip.dst == $2 and tcp.srcport == $3 and tcp.dstport == $4)
or (ip.src == $2 and ip.dst == $1 and tcp.srcport == $4 and tcp.dstport == $3)

would allow to use a display filter like

${tcp_conv:10.1.1.2;10.1.1.3;1200;1400}

instead of typing the whole filter.

Display Filter Macros can be managed with a user table, as described in Section 11.7, “User Table”, by selecting AnalyzeDisplay Filter Macros from the menu. The User Table has the following fields:

Name
The name of the macro.
Text
The replacement text for the macro it uses $1, $2, $3, …​ as the input arguments.