##
Wireshark Display Filters
Filter the capture view by protocol field. These are display filters (post-capture), not BPF capture filters.
| IP | ip.addr == 10.0.0.1 · ip.src · ip.dst · ip.proto · ip.ttl |
| TCP | tcp.port == 80 · tcp.flags.syn == 1 · tcp.analysis.retransmission |
| UDP | udp.port == 53 · udp.length |
| Ethernet | eth.addr · eth.src · eth.dst · eth.type |
| VLAN | vlan.id == 10 · vlan.priority |
| HTTP | http.request.method == "GET" · http.response.code == 404 · http.host |
| DNS | dns.qry.name · dns.flags.response == 1 |
| ICMP | icmp.type == 8 · icmp.code |
| ARP | arp.opcode == 1 · arp.src.proto_ipv4 |
// operators
| == / != | equal / not equal |
| > < >= <= | comparisons |
| and / && | logical AND |
| or / || | logical OR |
| not / ! | logical NOT |
| contains / matches | substring / regex |
// handy ready-made filters
| http.request | Every outbound HTTP request |
| tls.handshake.type == 1 | TLS ClientHello (session starts) |
| tcp.flags.reset == 1 | Connections being reset |
| tcp.analysis.retransmission | Retransmits — loss / latency |
| dns.flags.response == 0 | DNS queries only |
| tcp.stream eq 0 | Isolate one TCP conversation |
| !(arp or stp or lldp) | Hide L2 background noise |
// capture vs display filter
| Capture (BPF) | Display |
|---|
| When | Before capture | After capture |
| Syntax | BPF (tcpdump-style) | Wireshark fields |
| Example | tcp port 443 | tcp.port == 443 |
| Effect | Drops unmatched packets | Hides them, keeps the file |
| Reversible | No — data is gone | Yes — just re-filter |
// analysis workflow
- Right-click a packet → Follow → TCP/HTTP/TLS Stream to rebuild a session
- Statistics → Conversations / Protocol Hierarchy for a quick overview
- Analyze → Expert Information flags retransmits, resets, warnings
- Use a capture (BPF) filter to keep huge captures small
- Colorize rules highlight resets, retransmits and errors automatically