A Beginners Guide to Get Started With Display Filters In WireShark

October 2, 2013 | By
| Reply More

Wireshark is a very popular network protocol analyser through which a network administrator can thoroughly examine the flow of data traffic to/from a computer system in a network. This tool has been around for quite some time now and provides lots of useful features. One of these feature is the display filter through which you can filter out the captured data traffic based on different factors like protocols, network ports, IP addresses etc. In this article, we will discuss the basics of Wireshark and 5 basic Wireshark display filters which every beginner should know.

If you are completely new to Wireshark then first download it from here and install it on your system. Once installed, launch the Wireshark GUI.

Here is an example snapshot of Wireshark main screen :

wireshark screen

The first step is to select an interface (on which the data is to be captured) and then click start.

wireshark select interface

As soon as you click start, information regarding all the incoming and outgoing data packets (on the selected interface) are displayed in the output.

wireshark capture display

You can click on any packet entry in the window shown above and the more details related to this packet are displayed in the section just below the same window.

wireshark individual packet info

Now, coming back to our topic. display filters can be entered through the Filter text box that sits just above the traffic output section.

wireshark display filter

Wireshark Display Filter Examples

In this section, we will discuss 5 useful display filter syntax.

1. Filter results by protocol

You can easily filter the results based on a particular protocol. For example, to display only those packets that contain TCP protocol, just write the name of the protocol in the filter text box.

Here is an example snapshot :

wireshark protocol filter

So you can see that all the packets containing TCP protocols were displayed in the output.

2. Filter results by port

You can also filter results based on network ports. For example, to display only those packets that contain TCP protocol and have either source or destination port as 80, just write tcp.port eq 80 in the filter box.

Here is an example snapshot :

wireshark port filter

So you can see that all the packets containing TCP protocol and source/destination port as 80 were displayed in the output.

3. Filter results based on multiple conditions

If there is a scenario where you want to display results based on conditions that are exclusive of each other, use the or filter. For example, to display all the packets containing TCP or DNS protocol, just write tcp or dns in the filter box.

Here is an example snapshot :

wireshark or filter

So you can see that packets containing either TCP or DNS protocol were displayed in the output.

Similarly, you can use the and filter. This filter is used where you want to display results based on conditions that are not exclusive of each other. For example, to display all the packets containing TCP as well as HTTP protocol, just write tcp and http in the filter box.

Here is an example snapshot :

wireshark and filter

So you can see that packets containing both TCP and HTTP protocol were displayed in the output.

4. Filter results by IP addresses

To filter results based on IP addresses. Use src or dst IP filters. For example, to display only those packets that contain source IP as 192.168.0.103, just write ip.src==192.168.0.103 in the filter box.

Here is an example :

wireshark src ip filter

So you can see that all the packets with source IP as 192.168.0.103 were displayed in the output.

Similarly, you can use the dst filter (ip.dst) to filter packets based on destination IP addresses.

5. Filter results based on byte sequence

Sometimes, it is required to inspect packets based on a particular sequence of bytes present in their payload. To do this, just use the contains filter with the protocol name and byte sequence.

Here is a snapshot :

wireshark bytes filter

So you can see that the TCP packets containing the byte sequence 00:01:02 were displayed in the output.

Filed Under : OPEN SOURCE TOOLS

Free Linux Ebook to Download

Leave a Reply

Commenting Policy:
Promotion of your products ? Comment gets deleted.
All comments are subject to moderation.