Using Wireshark Display Filters: Methods and Common Expressions

Wireshark display filters are used to filter captured packets, showing only those that meet specified criteria; they are more commonly used than capture filters because packets are captured without restrictions and then filtered during analysis.

There are two ways to apply display filters: the dialog method and the text‑expression method.

Dialog method – a simple, mouse‑driven approach where you select a protocol field, choose a relation, and enter a value via the menu Analyze → Display Filter Expression .

Text‑expression method – suitable for experienced users, allowing direct entry of filter expressions.

Protocol filtering – limit traffic to specific protocols such as HTTP or SSH:

<code>http</code>

<code>http or ssh</code>

IP address filtering – use ip.addr == 192.168.110.145 to show packets from a particular IP.

<code>ip.addr == 192.168.110.145</code>

Packet size filtering – filter packets larger than 128 bytes:

<code>frame.len > 128</code>

Common comparison operators include > , < , >= , <= , == , and != .

Logical expressions combine multiple conditions, e.g.:

<code>frame.len > 128 and ip.addr == 192.168.110.145</code>

Logical operators are and (both conditions), or (either condition), not (negation), and xor (exclusive or).

Port filtering – specify the protocol before the port, for example:

<code>tcp.port == 80</code>

Commonly used display filter expressions include:

<code>!arp               // exclude ARP packets
http               // show only HTTP packets
!tcp.port==80      // filter out HTTP packets
tcp.port==21 or tcp.port==22 // FTP or SSH
tcp.flags.syn==1  // TCP packets with SYN flag
tcp.flags.rst==1  // TCP packets with RST flag</code>