Wireshark’s display filter language allows you to control the packets currently displayed by the platform. Typically, you will use display filters to check for the presence of a protocol or field. However, you can also use them to compare packets using logical operators, such as “and” and “or”.

It’s easy to confuse Wireshark’s display filter with its capture filter. This article explains how to use the display filter on both PC and Mac. It also discusses the difference between the filters in Wireshark.

How to use Wireshark filters on a Windows PC

Using the Wireshark display filter on a PC is fairly simple. The platform provides a field at the top of the screen that allows you to quickly specify the packets you want to display. Typically, you will see packets based on the following criteria:

  • Protocol
  • Field values
  • Presence of a field
  • Comparisons between fields

However, the display field function allows for more complex use.

There are two methods to use the Wireshark filters on a Windows PC.

Method 1 – Direct filter input

Assuming you only want to see one protocol, follow these steps:

  1. Look for and click on the Wireshark filter toolbar.
  2. Type the protocol name into the toolbar. For example, type “tcp” if you want to display all TCP packets.
  3. Press “Enter” to apply the chosen filter. You can also click “Apply” after entering your filter expression.

You should now see Wireshark displaying packets based on the filter you chose. All of these packets remain in their associated capture file. A display filter does not change the contents of a capture file. It displays packets corresponding to the filter you are applying.

If you want to remove the filter you applied, click the Clear button. It is located to the right of the display filter toolbar.

Method 2 – The statistics bar

This method lets you apply a filter without having to type directly into the display filter toolbar.

  1. Locate “Statistics” in the top menu and click on it.
  2. Select one of the options from the dropdown list. For this demonstration, choose “Endpoints”.
  3. A popup window should appear showing the endpoint report with MAC addresses. Right-click on one of the addresses and select “Apply as filter”.
  4. Click on “Selected”.

The syntax of your choice is automatically entered into the display filter toolbar.

How to use the display filter in Wireshark on a Mac

Wireshark on a Mac allows you to use a display filter to display packets based on a set of options and expressions, including protocols, field comparisons, field values, and more. There are two ways to use the display filter on a Mac.

Method 1 – The display filter toolbar

The following steps allow you to view a simple protocol. It is possible to use a variety of operators to create more complex filters, assuming you have a deep understanding of Wireshark. Follow these steps to get a simple protocol display filter.

  1. Click on the display filter toolbar at the top of the screen. This is the text box next to the word “Filter”.
  2. Enter the protocol name and click the “Apply” button.

Wireshark displays each packet related to the entered protocol found in the current capture filter. Click the Clear button located next to the display filter toolbar to remove the filter and display all packets again.

Method 2 – The statistics bar

If you don’t know the exact expression to enter for your filter, there is a simpler method that can apply in some cases. The following example shows how to create a display filter using an endpoint. It can also be applied to several other types of expressions and protocols. Follow these steps to create an endpoint display filter.

  1. Click on “Statistics” in the top menu bar.
  2. Select “Endpoints”.
  3. Navigate to the endpoint you want to filter in the popup box, right-click and highlight “Apply as filter”.
  4. Choose “Selected”.

You should see Wireshark automatically introduce the syntax of your choice into the display filter toolbar. The platform will also display the packets relevant to the endpoint you have chosen.

Apply your filters

Wireshark’s display filter function allows you to quickly check the packets in your capture. It’s ideal for large captures when you need to eliminate all the noise on your screen to analyze specific protocols or fields. Wireshark provides detailed information about the various filter modifiers and expressions for the display filter through its wiki.

But now we want to know your opinion. How often do you need to scan specific packets in Wireshark? Do you think using the display filter will make you more efficient when using the platform? Let us know what you think of Wireshark’s display filter in the comments below.

Frequently Asked Questions

What’s the difference between a display filter and a capture filter?

Wireshark allows you to use display filters and capture filters to navigate through your packets. It’s easy to confuse these filters. However, they serve different purposes and their use requires different syntaxes.

A display filter is used once you’ve captured everything you need and want to display specific packets for analysis.

Capture filters are more limited than display filters. They reduce the size of a raw packet capture and must be set up before starting the packet capture process. Typically, you will use capture filters if you want to apply a command to return or eliminate specific types of packets from a capture. Capture filters cannot be changed during the capture process.

Display filters and capture filters also differ in the syntax they use.

With a display filter, a combination of boolean filters and operators is used to create a logical description of the filter you want to create. Examples include “==” and “!=” which mean equal and not equal, respectively.

Capture filters use a more complicated syntax that combines masks, byte offsets, and hexadecimal values with boolean filtering language. This makes capture filters less intuitive than display filters, but it also means you can use them to apply more complex filters.

What is a display filter in Wireshark?

A display filter in Wireshark is a feature that allows users to display specific packets based on certain criteria, such as protocols, field values, or the presence of fields. These filters are useful for quickly analyzing specific packets in large captures and eliminating screen noise.

How do you apply display filters in Wireshark on a Windows PC?

On a Windows PC, you can apply display filters in Wireshark using two methods. The first method involves directly writing the filter into the display filter toolbar and pressing “Enter” or clicking “Apply”.

The second method uses the statistics bar to apply a filter without having to directly write into the display filter toolbar.

How do you apply display filters in Wireshark on a Mac?

On a Mac, you can apply display filters in Wireshark using two methods. The first method is through the display filter toolbar, where you enter the protocol name and click the “Apply” button. The second method is via the statistics bar, where you select an endpoint and apply it as a filter.

What is the difference between a display filter and a capture filter in Wireshark?

The main difference between a display filter and a capture filter in Wireshark is their purpose and timing of application. A display filter is used after a packet capture has been done and you want to display specific packets for analysis.