Wireshark Filtering Guide: Display and Capture Filters

Wireshark is an open‑source network protocol analyzer originally created by Gerald Combs in 1998 (formerly Ethereal). It captures packets on network interfaces and provides detailed decoding on Windows, macOS and Linux.

Key functions include real‑time capture, protocol decoding, powerful filtering, packet reassembly, and statistical charts.

The UI consists of a menu/toolbar, capture options, packet list, packet details, byte view, and a display‑filter input box.

Basic Filtering

Wireshark offers two filter types: display filters (applied after capture) and capture filters (applied during capture). Their syntax differs.

Display Filters

Display filters use field names, operators and values. Example field names: ip.addr , tcp.port . Operators: == , != , > , < , etc.

ip.addr == 192.168.3.9

Common filters:

IP address: ip.src == 192.168.3.9 , ip.dst == 192.168.3.66 , ip.addr == 192.168.3.9

Port: tcp.srcport == 80 , tcp.dstport == 443 , tcp.port == 80

Protocol: http , tcp , icmp

Exclude: !icmp

Advanced examples:

ip.src == 192.168.3.9 && tcp.dstport == 8080

frame.len >= 100 && frame.len <= 200

http.request.uri matches ".*login.*"

Capture Filters

Capture filters use Berkeley Packet Filter (BPF) syntax and run while packets are being captured.

Basic syntax: field name, operator, value. Example fields: host , port , net .

host 192.168.3.9

Common filters:

IP: src host 192.168.1.1 , dst host 192.168.3.66

Port: port 80 , src port 80 , dst port 443

Protocol: tcp , udp , icmp

Exclude: not host 192.168.1.1 , not port 80

Advanced capture examples:

src host 192.168.1.1 and dst port 80

net 192.168.1.0/24

These filters help reduce captured data and focus analysis on relevant traffic.

End of article.