Note – If you are completely new to Wireshark, it is recommended that you first go through its basic tutorial.
Display filters
Here is an example of a live capture in Wireshark:
Note that a major part of the GUI is used to display information (like Time, Source, Destination, and more) about all the incoming and outgoing packets. To filter this information as per your requirement, you need to make use of the Filter box present at the top of the window.
1. Filter information based on protocol
To filter results based on a specific protocol, just write its name in the filter box and hit enter. For example, the following screen shot displays information related to the HTTP protocol:
Observe that the Protocol column contains only HTTP entries. If information related to more than one protocol is required, enter the protocol names separated by a double pipe (or a logical OR operator) ||. Here is an example:
2. Filter information based on IP address
To filter results based on source IP, use the ip.src filter. Here is an example:
Similarly, use ip.dst to filter results based on destination IP address. To display both source and destination packets with a particular IP, use the ip.addr filter. Here is an example:
Observe that the packets with source or destination IP address as 50.116.24.50 are displayed in the output. To exclude packets with a specific IP address, use the != operator. Here is an example:
3. Filter information based on port
You can also filter the captured traffic based on network ports. For example, to display only those packets that contain TCP source or destination port 80, use the tcp.port filter. Here is an example:
Similarly, you can use tcp.srcport and tcp.dstport to separately filter results based on TCP source and destination ports, respectively. Wireshark also has the ability to filter results based on TCP flags. For example, to display on those TCP packets that contain SYN flag, use the tcp.flags.syn filter. Here is an example:
Similarly, you can also filter results based on other flags like ACK, FIN, and more, by using filters like tcp.flags.ack, tcp.flags.fin, and more, respectively.
4. Some other useful filters
Wireshark displays the data contained by a packet (which is currently selected) at the bottom of the window. Sometimes, while debugging a problem, it is required to filter packets based on a particular byte sequence. You can easily do that using Wireshark. For example, TCP packets containing the 00 00 01 byte sequence can be filtered using the following way:
Moving on, just like you can filter results based on IP addresses (explained earlier), you can also filter results based on MAC addresses, using the eth.addr filter. For example, to see all the traffic coming in and out of a machine with mac address, say AA:BB:CC:DD:EE:FF, use the following filter command:
Conclusion
We’ve barely scratched the surface here, as Wireshark has a lot more to offer. For more information on Wireshark display filters, visit the Wireshark official website or the Wiki Wireshark website. If you have some doubt or query, leave a comment below.
