Epic List of Top Searched Wireshark Display Filters

Unless you’re searching for an obscure Wireshark Filter there is a good chance you’re going to find what you’re looking for in this post.

I dug up the top 500 Google search results relating to Wireshark Display Filters and compiled a list of all the unique Filter queries to answer.

This gives us a list of the top 47 Filters that people are searching for!

Now some of these searches do relate to each other, so there will be some repetition/overlap, but I decided to answer each query as it was searched to try and help as many people directly as possible.

I also chose to keep most examples brief since fully explaining each filter could fill a book. I suggest anyone interested in learning more about a filter to first play with the example given here in Wireshark and then hit up the official Wireshark Display Filter Wiki page.

You may want to use ctrl+f to search this page because the list isn’t alphabetical.

Related: https://networkproguide.com/Wireshark-user-interface-gui-overview/

Wireshark Filter by IP

ip.addr == 10.43.54.65

In plain English this filter reads, “Pass all traffic containing an IP Address equal to 10.43.54.65.” This will match on both source and destination.

You can read more about this in our article “How to Filter by IP in Wireshark

Wireshark Filter by Destination IP

ip.dst == 10.43.54.65

Note the dst. This is short for destination. It reads, “Pass all traffic with a destination IP equal to 10.43.54.65.”

Wireshark Filter by Source IP

ip.src == 10.43.54.65

Note the src. This is short for source, which I’m confident you already figured out. It is interchangeable with dst within most filters that use dst and src to determine destination and source parameters. This filter reads, “Pass all traffic with a source IP equal to 10.43.54.65.”

Wireshark Filter IP Range

ip.addr >= 10.80.211.140 and ip.addr <= 10.80.211.142

This filter reads, “Pass all traffic with an IP greater than or equal to 10.80.211.140 and less than or equal to 10.80.211.242.” Note the “and” within the expression. It’s a logical AND. You could also use “&&” instead of “and.” This will match on both the source and destination.

Alternatively, you could search by subnet if you know the CIDR notation for the IP range you’re interested as displayed below.

Wireshark Filter Multiple IP

ip.addr == 10.43.54.65 and ip.addr == 10.43.54.69

Pretty simple, it’s just the Filter by IP expressions joined with an “and.”  It reads “pass all traffic with an ip of 10.43.54.65 and pass all traffic with and ip of 10.43.54.69.”

Wireshark Filter Out IP Address

!(ip.addr == 10.43.54.65)

Note the ! which is a logical NOT. This reads “pass all traffic that does not have an IP address equal to 10.43.54.65.”

Wireshark Filter Subnet

ip.addr == 10.43.54.0/24

This is very similar to the Filter by IP expression except it uses the CIDR format of a subnet in place of a single IP.

Wireshark Filter by Port

tcp.port == 25

udp.port == 123

Note the tcp and udp in the beginning of the expression. This tells the filter what protocol you want to filter for when returning results that match your port number.

Wireshark Filter Destination Port

tcp.dstport == 25

Much like the Filter by IP filter this one contains “dst” to specify destination. Alternatively you could use “src” in the expression to specify source.

Wireshark Filter by IP and Port

ip.addr == 10.43.54.65 and Tcp.port == 25

This will search for all packets that contain both 10.43.54.65 and TCP port 25 in either the source or destination. It’s advisable to specify source and destination for the IP and Port else you’ll end up with more results than you’re probably looking for. For example:

ip.src == 10.43.54.65 and tcp.dstport == 25

This will show all packets with a source address of 10.43.54.65 heading to a TCP port of 25.

Wireshark Filter by Protocol Name

tcp

Simply enter the protocol abbreviation in the filter field.

Wireshark Filter TCP

tcp

Just like above, since TCP is a protocol, you just enter TCP into the filter string field.

Wireshark Filter UDP

udp

Just like above, since UDP is a protocol, you just enter UDP into the filter string field.

Wireshark Filter HTTP

http

HTTP is a tricky one. If you truly just want packets using the HTTP protocol you just enter “http” into the filter field. However, this wont show the setup and termination. To see that info as well you’ll want to use the filter:

tcp.port == 80

You can read more about this in our article “How to Filter HTTP Traffic in Wireshark.”

Wireshark Filter HTTPS

https

HTTPS is a lot like HTTP in that you’ll want to use the port rather than the protocol if you want the bigger picture:

tcp.port == 443

Keep in mind that HTTPS traffic is encrypted so unless you have the private key, you wont be able to read the payload.

Wireshark Filter HTTP GET Request

http.request.method == “GET”

If you want to filter for the other request methods you can replace “GET” with the appropriate method such as PUT, POST, DELETE, HEAD, OPTIONS, CONNECT, and TRACE.

Wireshark Filter HTTP POST

http.request.method == “POST”

Just like above, you’ll use the “http.request.method” filter and enter POST for the method.

Wireshark Filter Website URL

http.host == “exact.name.here”

This expression requires you put the full url such as www.foxnews.com. Leaving off the www will result in not displaying any packets that say www.foxnews.com.

My preference is to use “contains” in place of “==” so that you can return all results that contain foxnews.com.

http.host contains “partial.name.here”

This will return packets that have www.foxnews.com as well as foxnews.com and even media2.foxnews.com.

Wireshark Filter by Time (Timestamp)

frame.time >= “July 14, 2018 18:04:00” && frame.time <= “July 14, 2018 18:40:00”

This filter is equivalent to saying “pass all traffic with an arrival time greater than or equal to July 14, 2018 18:04:00 and less than or equal to July 14, 2018 18:40:00.”

A neat trick you can do with frame times is to click on a packet in Wireshark in the packet list pane, then expand Frame in the packet details pane, then right click the Arrival Time and click on Prepare a filter to auto fill the filter string field with beginning of the filter.

Wireshark Filter ICMP

icmp

You simply enter ICMP into the filter string field. See a complete list of ICMP filters here.

ICMP for IPv6 would be:

icmpv6

Wireshark Filter IGMP

igmp

You simply enter IGMP into the filter string field to see all IGMP based packets. See a complete list of IGMP filters here.

Wireshark Filter by Application

There is no direct method for filtering for a specific application’s traffic. At best you can identify what type of traffic that application uses and filter for that such as filtering for port 25 when looking for traffic from an email application that uses port 25.

An alternative tool to Wireshark for inspecting application related traffic on the windows platform would be Microsoft Message Analyzer.

Wireshark Filter Not Equal

!(filter_expression)

This might be an over simplistic example but most people searching for “Wireshark Filter Not Equal” are probably trying to figure out how to filter out all packets not equal to a certain ip, subnet, protocol, or port. In those cases, !(filter_expression) is a good fit. As an example:

!(ip.addr == 10.2.2.2)

Will show all packets that do not contain 10.2.2.2 in either the source or destination fields.

Wireshark Filter Packet Number

frame.number == 500

You can also use >, <, and, or, and many of the other operators and logical expressions.

Wireshark Filter SIP

sip

To see all packets related to the SIP protocol simply enter SIP into the filter string field. You see all the SIP filters here.

Wireshark Filter SYN

tcp.flags.syn == 1

This filter will show both the TCP packets containing SYN and SYN/ACK. If you only want SYN you can use

tcp.flags.syn == 1  and tcp.flags.ack == 0

Wireshark Ack Filter

tcp.flags.ack == 1

Wireshark Syn Ack Filter

tcp.flags.syn == 1

This filter will show both the TCP packets containing SYN and SYN/ACK.

Wireshark Arp Filter

arp

Simply enter arp in the display filter string field.

Wireshark Beacon Filter

wlan.fc.type_subtype = 0x08

Wireshark Broadcast Filter

eth.dst == ff:ff:ff:ff:ff:ff

Wireshark Multicast Filter

(eth.dst[0] & 1)

This will show multicast and broadcast. Since broadcast is a type of multicast it’s a valid expression. If you don’t want any broadcast multicast results you can use:

(eth.dst[0]&1) && !(eth.dst == ff:ff:ff:ff:ff:ff)

Wireshark Dhcp Filter

bootp

Since DHCP is implemented as an option of BOOTP you can filter on bootp.

Wireshark Dns Filter

dns

You can use the filter dns. You could also filter on port 53 since that is the port DNS usually uses. You can see all the DNS filters here.

Wireshark Dscp Filter

If you’re looking for all packets with a specific DSCP value you can use:

ip.dsfiled.dscp == value

This is like saying, “there exists a filed named ip.dsfield.dscp whose value is “value.”

Wireshark Email Filter

smtp

imap

pop

The SMTP, IMAP, and POP filters will get you close when dealing with traditional email traffic. If you’re working another email type, encrypted email, or a nonstandard port you’ll have to filter for the ports you’re using.

Wireshark Ftp Filter

ftp

Wireshark Hostname Filter

To make host name filters work you need to enable DNS resolution in the settings under View -> Name Resolution. Then you can use the filter:

ip.host = hostname

Wireshark IPv6 Filter

ipv6.addr == 10.2.54.5

Wireshark Kerberos Filter

kerberos

If you’re using Kerberos v4 use

kerberos4

Wireshark ldap Filter

ldap

You could also filter for port 389 since that’s the most common LDAP port.

Wireshark Mac Address Filter

eth.addr == 00:70:f4:23:18:c4

Wireshark Malformed Packet Filter

malformed

This will show all packets containing malformed data.

Wireshark RST Filter

tcp.flags.reset == 1

Wireshark Skype Filter

This one isn’t so simple. See the Skype wiki page here.

Wireshark SSID Filter

wlan.ssid == SSID

Wireshark NTP Filter

udp.port == 123

Since the time protocol typically uses UDP port 123 you can simply filter for that port. If your time server uses a different port or uses TCP then adjust the filter accordingly.

That’s it for now. I plan to continually revisit this article to add more detail and explanation to each filter as time permits so it can become a Wireshark Display Filter Cheat Sheet of sorts. So, consider this a work in progress.

Recommended for You: Solarwinds Network Performance Monitor (NPM)

Do you know the health of your networking equipment? Know when something goes down before a user reports problems? Know where your bandwidth is going or where you’re losing your packets?

Automate data collection and alerting of your networking infrastructure with Solarwinds NPM so you know exactly what is going on in your network and can sleep easy.

Unlike other tools, NPM is ready to out of the box with most common makes and models of networking equipment. No messing around with custom templates, xml files, or code to extract important information.

Leave a Reply

Your email address will not be published. Required fields are marked *