aboutsummaryrefslogtreecommitdiffstats
path: root/help/display_filters.txt
blob: 28303ff04ef08c41a898e9abbb72f3f3a136283c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
Filtering packets while viewing
-------------------------------
After capturing packets or loading some network traffic from a file, Wireshark will display the packet data immediately on the screen.

Using display filters, you can choose which packets should (not) be shown on the screen. This is useful to reduce the "noise" usually on the network, showing only the packets you want to. So you can concentrate on the things you are really interested in. 

The display filter will not affect the data captured, it will only select which packets of the captured data are displayed on the screen.

Every time you change the filter string, all packets will be reread from the capture file (or from memory), and processed by the display filter "machine". Packet by packet, this "machine" is asked, if this particular packet should be shown or not.

Wireshark offers a very powerful display filter language for this. It can be used for a wide range of purposes, from simply: "show only packets from a specific IP address", or on the other hand, to very complex filters like: "find all packets where a special application specific flag is set".

Note: This display filter language is different from the one used for the Wireshark capture filters!

-------------------------------------------------

Some common examples
--------------------
Example Ethernet: display all traffic to and from the Ethernet address 08.00.08.15.ca.fe

eth.addr==08.00.08.15.ca.fe

Example IP: display all traffic to and from the IP address 192.168.0.10

ip.addr==192.168.0.10

Example TCP: display all traffic to and from the TCP port 80 (http) of all machines

tcp.port==80

Examples combined: display all traffic to and from 192.168.0.10 except http

ip.addr==192.168.0.10 && tcp.port!=80

Beware: The filter string builds a logical expression, which must be true to show the packet. The && is a "logical and", "A && B" means: A must be true AND B must be true to show the packet (it doesn't mean: A will be shown AND B will be shown). 

-------------------------------------------------

Hint
----
Filtering can lead to side effects, which are sometimes not obvious at first sight. Example: If you capture TCP/IP traffic with the primitive "ip", you will not see the ARP traffic belonging to it, as this is a lower protocol layer than IP!