Using Wireshark Display Filters: Methods and Common Expressions

Wireshark display filters are used to filter captured packets, showing only those that meet specified criteria; they are more commonly used than capture filters because packets are captured without restrictions and then filtered during analysis.

There are two ways to apply display filters: the dialog method and the text‑expression method.

Dialog method – a simple, mouse‑driven approach where you select a protocol field, choose a relation, and enter a value via the menu Analyze → Display Filter Expression.

Text‑expression method – suitable for experienced users, allowing direct entry of filter expressions.

Protocol filtering – limit traffic to specific protocols such as HTTP or SSH:

http

http or ssh

IP address filtering – use ip.addr == 192.168.110.145 to show packets from a particular IP. ip.addr == 192.168.110.145 Packet size filtering – filter packets larger than 128 bytes: frame.len > 128 Common comparison operators include >, <, >=, <=, ==, and !=.

Logical expressions combine multiple conditions, e.g.: frame.len > 128 and ip.addr == 192.168.110.145 Logical operators are and (both conditions), or (either condition), not (negation), and xor (exclusive or).

Port filtering – specify the protocol before the port, for example: tcp.port == 80 Commonly used display filter expressions include:

!arp               // exclude ARP packets
http               // show only HTTP packets
!tcp.port==80      // filter out HTTP packets
tcp.port==21 or tcp.port==22 // FTP or SSH
tcp.flags.syn==1  // TCP packets with SYN flag
tcp.flags.rst==1  // TCP packets with RST flag