Unless you’re searching for an obscure Wireshark Filter there is a good chance you’re going to find what you’re looking for in this post.
I dug up the top 500 Google search results relating to Wireshark Display Filters and compiled a list of all the unique Filter queries to answer.
This gives us a list of the top 47 Filters that people are searching for!
Now some of these searches do relate to each other, so there will be some repetition/overlap, but I decided to answer each query as it was searched to try and help as many people directly as possible.
I also chose to keep most examples brief since fully explaining each filter could fill a book. I suggest anyone interested in learning more about a filter to first play with the example given here in Wireshark and then hit up the official Wireshark Display Filter Wiki page.
You may want to use ctrl+f to search this page because the list isn’t alphabetical.
ip.addr == 10.43.54.65
In plain English this filter reads, “Pass all traffic containing an IP Address equal to 10.43.54.65.” This will match on both source and destination.
You can read more about this in our article “How to Filter by IP in Wireshark”
Wireshark Filter by Destination IP
ip.dst == 10.43.54.65
Note the dst. This is short for destination. It reads, “Pass all traffic with a destination IP equal to 10.43.54.65.”
Wireshark Filter by Source IP
ip.src == 10.43.54.65
Note the src. This is short for source, which I’m confident you already figured out. It is interchangeable with dst within most filters that use dst and src to determine destination and source parameters. This filter reads, “Pass all traffic with a source IP equal to 10.43.54.65.”
Wireshark Filter IP Range
ip.addr >= 10.80.211.140 and ip.addr <= 10.80.211.142
This filter reads, “Pass all traffic with an IP greater than or equal to 10.80.211.140 and less than or equal to 10.80.211.242.” Note the “and” within the expression. It’s a logical AND. You could also use “&&” instead of “and.” This will match on both the source and destination.
Alternatively, you could search by subnet if you know the CIDR notation for the IP range you’re interested as displayed below.
Wireshark Filter Multiple IP
ip.addr == 10.43.54.65 and ip.addr == 10.43.54.69
Pretty simple, it’s just the Filter by IP expressions joined with an “and.” It reads “pass all traffic with an ip of 10.43.54.65 and pass all traffic with and ip of 10.43.54.69.”
Wireshark Filter Out IP Address
!(ip.addr == 10.43.54.65)
Note the ! which is a logical NOT. This reads “pass all traffic that does not have an IP address equal to 10.43.54.65.”
Wireshark Filter Subnet
ip.addr == 10.43.54.0/24
This is very similar to the Filter by IP expression except it uses the CIDR format of a subnet in place of a single IP.
Wireshark Filter by Port
tcp.port == 25
udp.port == 123
Note the tcp and udp in the beginning of the expression. This tells the filter what protocol you want to filter for when returning results that match your port number.
Wireshark Filter Destination Port
tcp.dstport == 25
Much like the Filter by IP filter this one contains “dst” to specify destination. Alternatively you could use “src” in the expression to specify source.
Wireshark Filter by IP and Port
ip.addr == 10.43.54.65 and Tcp.port == 25
This will search for all packets that contain both 10.43.54.65 and TCP port 25 in either the source or destination. It’s advisable to specify source and destination for the IP and Port else you’ll end up with more results than you’re probably looking for. For example:
ip.src == 10.43.54.65 and tcp.dstport == 25
This will show all packets with a source address of 10.43.54.65 heading to a TCP port of 25.
Wireshark Filter by Protocol Name
Simply enter the protocol abbreviation in the filter field.
Wireshark Filter TCP
Just like above, since TCP is a protocol, you just enter TCP into the filter string field.
Wireshark Filter UDP
Just like above, since UDP is a protocol, you just enter UDP into the filter string field.
HTTP is a tricky one. If you truly just want packets using the HTTP protocol you just enter “http” into the filter field. However, this wont show the setup and termination. To see that info as well you’ll want to use the filter:
tcp.port == 80
You can read more about this in our article “How to Filter HTTP Traffic in Wireshark.”
Wireshark Filter HTTPS
HTTPS is a lot like HTTP in that you’ll want to use the port rather than the protocol if you want the bigger picture:
tcp.port == 443
Keep in mind that HTTPS traffic is encrypted so unless you have the private key, you wont be able to read the payload.
Wireshark Filter HTTP GET Request
http.request.method == “GET”
If you want to filter for the other request methods you can replace “GET” with the appropriate method such as PUT, POST, DELETE, HEAD, OPTIONS, CONNECT, and TRACE.
Wireshark Filter HTTP POST
http.request.method == “POST”
Just like above, you’ll use the “http.request.method” filter and enter POST for the method.
Wireshark Filter Website URL
http.host == “exact.name.here”
My preference is to use “contains” in place of “==” so that you can return all results that contain foxnews.com.
http.host contains “partial.name.here”
This will return packets that have www.foxnews.com as well as foxnews.com and even media2.foxnews.com.
Wireshark Filter by Time (Timestamp)
frame.time >= “July 14, 2018 18:04:00” && frame.time <= “July 14, 2018 18:40:00”
This filter is equivalent to saying “pass all traffic with an arrival time greater than or equal to July 14, 2018 18:04:00 and less than or equal to July 14, 2018 18:40:00.”
A neat trick you can do with frame times is to click on a packet in Wireshark in the packet list pane, then expand Frame in the packet details pane, then right click the Arrival Time and click on Prepare a filter to auto fill the filter string field with beginning of the filter.
Wireshark Filter ICMP
You simply enter ICMP into the filter string field. See a complete list of ICMP filters here.
ICMP for IPv6 would be:
Wireshark Filter IGMP
You simply enter IGMP into the filter string field to see all IGMP based packets. See a complete list of IGMP filters here.
Wireshark Filter by Application
There is no direct method for filtering for a specific application’s traffic. At best you can identify what type of traffic that application uses and filter for that such as filtering for port 25 when looking for traffic from an email application that uses port 25.
An alternative tool to Wireshark for inspecting application related traffic on the windows platform would be Microsoft Message Analyzer.
Wireshark Filter Not Equal
This might be an over simplistic example but most people searching for “Wireshark Filter Not Equal” are probably trying to figure out how to filter out all packets not equal to a certain ip, subnet, protocol, or port. In those cases, !(filter_expression) is a good fit. As an example:
!(ip.addr == 10.2.2.2)
Will show all packets that do not contain 10.2.2.2 in either the source or destination fields.
Wireshark Filter Packet Number
frame.number == 500
You can also use >, <, and, or, and many of the other operators and logical expressions.
Wireshark Filter SIP
To see all packets related to the SIP protocol simply enter SIP into the filter string field. You see all the SIP filters here.
Wireshark Filter SYN
tcp.flags.syn == 1
This filter will show both the TCP packets containing SYN and SYN/ACK. If you only want SYN you can use
tcp.flags.syn == 1 and tcp.flags.ack == 0
Wireshark Ack Filter
tcp.flags.ack == 1
Wireshark Syn Ack Filter
tcp.flags.syn == 1
This filter will show both the TCP packets containing SYN and SYN/ACK.
Wireshark Arp Filter
Simply enter arp in the display filter string field.
Wireshark Beacon Filter
wlan.fc.type_subtype = 0x08
Wireshark Broadcast Filter
eth.dst == ff:ff:ff:ff:ff:ff
Wireshark Multicast Filter
(eth.dst & 1)
This will show multicast and broadcast. Since broadcast is a type of multicast it’s a valid expression. If you don’t want any broadcast multicast results you can use:
(eth.dst&1) && !(eth.dst == ff:ff:ff:ff:ff:ff)
Wireshark Dhcp Filter
Since DHCP is implemented as an option of BOOTP you can filter on bootp.
Wireshark Dns Filter
You can use the filter dns. You could also filter on port 53 since that is the port DNS usually uses. You can see all the DNS filters here.
Wireshark Dscp Filter
If you’re looking for all packets with a specific DSCP value you can use:
ip.dsfiled.dscp == value
This is like saying, “there exists a filed named ip.dsfield.dscp whose value is “value.”
Wireshark Email Filter
The SMTP, IMAP, and POP filters will get you close when dealing with traditional email traffic. If you’re working another email type, encrypted email, or a nonstandard port you’ll have to filter for the ports you’re using.
Wireshark Ftp Filter
Wireshark Hostname Filter
To make host name filters work you need to enable DNS resolution in the settings under View -> Name Resolution. Then you can use the filter:
ip.host = hostname
Wireshark IPv6 Filter
ipv6.addr == 10.2.54.5
Wireshark Kerberos Filter
If you’re using Kerberos v4 use
Wireshark ldap Filter
You could also filter for port 389 since that’s the most common LDAP port.
Wireshark Mac Address Filter
eth.addr == 00:70:f4:23:18:c4
Wireshark Malformed Packet Filter
This will show all packets containing malformed data.
Wireshark RST Filter
tcp.flags.reset == 1
Wireshark Skype Filter
This one isn’t so simple. See the Skype wiki page here.
Wireshark SSID Filter
wlan.ssid == SSID
Wireshark NTP Filter
udp.port == 123
Since the time protocol typically uses UDP port 123 you can simply filter for that port. If your time server uses a different port or uses TCP then adjust the filter accordingly.
That’s it for now. I plan to continually revisit this article to add more detail and explanation to each filter as time permits so it can become a Wireshark Display Filter Cheat Sheet of sorts. So, consider this a work in progress.
Recommended for You: Solarwinds Network Performance Monitor (NPM)Do you know the health of your networking equipment? Know when something goes down before a user reports problems? Know where your bandwidth is going or where you’re losing your packets?
Automate data collection and alerting of your networking infrastructure with Solarwinds NPM so you know exactly what is going on in your network and can sleep easy.
Unlike other tools, NPM is ready to out of the box with most common makes and models of networking equipment. No messing around with custom templates, xml files, or code to extract important information.