6.3. Filtering Packets While Viewing

Wireshark has two filtering languages: capture filters and display filters. Capture filters are used for filtering when capturing packets and are discussed in Section 4.10, “Filtering while capturing”. Display filters are used for filtering which packets are displayed and are discussed below.

Display filters allow you to concentrate on the packets you are interested in while hiding the currently uninteresting ones. They allow you to only display packets based on:

To only display packets containing a particular protocol, type the protocol name in the display filter toolbar of the Wireshark window and press enter to apply the filter. Figure 6.7, “Filtering on the TCP protocol” shows an example of what happens when you type tcp in the display filter toolbar.

[Note]Note

Protocol and field names are usually in lowercase.

[Note]Note

Don’t forget to press enter or click on the apply display filter button after entering the filter expression.

Figure 6.7. Filtering on the TCP protocol

ws display filter tcp

As you may have noticed, only packets containing the TCP protocol are now displayed, so packets 1-10 are hidden and packet number 11 is the first packet displayed.

[Note]Note

When using a display filter, all packets remain in the capture file. The display filter only changes the display of the capture file but not its content!

To remove the filter, click on the Clear button to the right of the display filter field. All packets will become visible again.

Display filters can be very powerful and are discussed in further detail in Section 6.4, “Building Display Filter Expressions”

It’s also possible to create display filters with the Display Filter Expression dialog box. More information about the Display Filter Expression dialog box is available in Section 6.5, “The “Display Filter Expression” Dialog Box”.