[Wireshark] Display filter expression syntax tips

Tweet

Wireshark‘s display filter expression syntax is quite useful. The filter is applied to a capture file, when the file has been created. It only displays packets which are matched on filter expression syntax. It is a powerful option, but not for beginner.(Sorry) Dialog type expression filter would be easier, but once used to it. You won’t back to dialog type of filter option. Here is a collection of expression syntax options were frequently used.

 

 

Comparison Operator

Comparison Operator	Description
==	Equal to
!=	Not Equal to
<	Less than
>	Greater than
<=	Less than or equal to
>=	Greater than or equal to

 

Logical Operator

Logical Operator	Description
AND	Both expression must be true
OR	Either one of the expression must be true
XOR	One and only one expression must be true
NOT	Neither one of the expression is true

 

!dns = To filter out all DNS traffic in the capture window

!arp = To filter out all ARP packets in the capture window

!icmp = To filter out all icmp packets in the capture window

frame.pkt_len <= 128 = To show the packets less than 128 bytes in length

ip.addr==192.168.1.1 = To show all packets with an IP address of 192.168.1.1

ip.addr==192.168.0.1 or ip.addr==192.168.0.2 = To show packets containing either IP address

not multicast and not broadcast = To show only unicast traffic

host www.ipBalance.com = To show all traffic from / to www.ipBalance.com

host www.ipBalance.com and not (port 80) = To show all traffic from /to www.ipBalance.com except web(port = 80) traffic

ip.dst==192.168.1.1 = To show all traffic destined to 192.168.1.1

ip.src==172.138.1.1 = To show all traffic sourced from 172.130.1.1

 

 

more to come

 

Ref : Display filter reference : http://www.wireshark.org/docs/dfref/