1. CAPTURE FILTERS            2. DISPLAY FILTERS

1. CAPTURE FILTERS

The capture filter syntax is the same as the one used by programs using the Lipcap (Linux) or
Winpcap (Windows) library like the famous TCPdump. The capture filter must be set before
launching the Wiershark capture, which is not the case for the display filters that can be
modified at any time during the capture.

The steps to configure a capture filter are the following:

- select capture -> options.
- Fill the "capture filter" field or click on the "capture filter" button to give a name to your
filter to reuse it for subsequent captures.
- Click on Start to capture data.
Syntax: Protocol Direction Host(s) Value Logical Operations Other expression
Example
tcp dst 10.1.1.1 80 and tcp dst 10.2.2.2 3128
:

Protocol:
Values: ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp and udp.
If no protocol is specified, all the protocols are used.

Direction:
Values: src, dst, src and dst, src or dst
If no source or destination is specified, the "src or dst" keywords are applied.
For example, "host 10.2.2.2" is equivalent to "src or dst host 10.2.2.2".

Host(s):
Values: net, port, host, portrange.
If no host(s) is specified, the "host" keyword is used.
For example, "src 10.1.1.1" is equivalent to "src host 10.1.1.1".
 Logical Operations:
Values: not, and, or.
Negation ("not") has highest precedence. Alternation ("or") and concatenation ("and")
have equal precedence and associate left to right.
For example,
"not tcp port 3128 and tcp port 23" is equivalent to "(not tcp port 3128) and tcp port 23".
"not tcp port 3128 and tcp port 23" is NOT equivalent to "not (tcp port 3128 and tcp port
23)".

Examples:

tcp dst port 3128

Displays packets with destination TCP port 3128.

ip src host 10.1.1.1

Displays packets with source IP address equals to 10.1.1.1.

host 10.1.2.3

Displays packets with source or destination IP address equals to 10.1.1.1.

src portrange 2000-2500

Displays packets with source UDP or TCP ports in the 2000-2500 range.

not imcp

Displays everything except icmp packets. (icmp is typically used by the Ping tool)

src host 10.7.2.12 and not dst net 10.200.0.0/16

Displays packets with source IP address equals to 10.7.2.12 and in the same time not with the
destination IP network 10.200.0.0/16.

(src host 10.4.1.12 or src net 10.6.0.0/16) and tcp dst portrange 200-10000 and dst net
10.0.0.0/8
Displays packets with source IP address 10.4.1.12 or source network 10.6.0.0/16, the result is
then concatenated with packets having destination TCP portrange from 200 to 10000 and
destination IP network 10.0.0.0/8.

Notes:

The backslash "\" sign is used when a keyword is used as a value.

"ether proto \ip" (is equivalent to "ip").
This will target IP protocols.

"ip proto \icmp" (is equivalent to "icmp").

This will target icmp pakets typically used by the ping utility.

The "multicast" and "broadcast" keywords can also be used after "ip" or "ether".
"no broadcast" is useful when you want to exclude broadcast requests.

Check the TCPdump man page for information about the capture filters syntax.
Other capture filters examples can be found in the Wiki Wireshark website.

Top of the page

2. DISPLAY FILTERS:

The display filter is used to search inside captured data obtained with a capture filter.
Its search capabilities are more extended than those of the capture filter and it is not
necessary to restart the capture when you need to change your filter.

Logical Other
Protoco String Strin Compariso
Syntax: . . Value Operation expressio
l 1 g 2 n operator
s n
Exampl passiv 10.2.3.
ftp ip == xor icmp.type
e: e 4

Protocol:
A large number of protocols, located between layers two and seven of the OSI model, is
available. They can be seen when you click on the "Expression..." button in the main screen.
Some examples are: IP,TCP,DNS,SSH

Supported protocols with a little description can also be consulted as indicated below:
The Wireshark website provides explanations about protocols and their sub categories.

String1, String2 (Optional settings):

Sub protocol categories inside the protocol.

To find them, look for a protocol and then click on the "+" character.
 Comparison operators:

Six comparison operators are available:

English format:  C like format:  Meaning:

eq  ==  Equal
ne != Not equal
gt > Greater than
lt < Less than
ge >= Greater or equal
le <= Less or equal

Logical expressions:

English format:  C like format:  Meaning:

and && Logical AND
or || Logical OR
xor ^^ Logical XOR
not ! Logical NOT

The logical "XOR" expression, well known by programmers, is used as an exclusive

alternation. When used between two conditions in a filter, the result will be printed on the
screen only if one of the two conditions is fulfilled but not both like for the "OR" expression.
Let's take an example with the following display filter:
"tcp.dstport 80 xor tcp.dstport 1025"
Only packets with TCP destination port 80 or TCP source port 1025 (but not both!) will be
displayed on the screen as the result.

Example:

snmp || dns || icmp Display the SNMP or DNS or ICMP traffics.

ip.addr == 10.1.1.1

Displays the packets with source or destination IP address equals to 10.1.1.1.

ip.src != 10.1.2.3 or ip.dst != 10.4.5.6

Displays the packets with a source IP address different from 10.1.2.3 or with a destination IP
different from 10.4.5.6.
In other words, the displayed packets will have:
Source IP address: anything but 10.1.2.3, destination IP address: anything
and
Source IP address: anything, destination IP address: anything but 10.4.5.6

ip.src != 10.1.2.3 and ip.dst != 10.4.5.6

Displays the packets with source IP different from 10.1.2.3 and in the same time with
destination IP different from 10.4.5.6
In other words, the displayed packets will have:
Source IP address: anything but 10.1.2.3 and destination IP address: anything but 10.4.5.6

tcp.port == 25 Display packets with TCP source or destination port 25.

tcp.dstport == 25 Display packets with TCP destination port 25.
tcp.flags Display packets having a TCP flags
tcp.flags.syn == 0x02 Display packets with a TCP SYN flag.

If the filter syntax is correct, it will be highlighted in green, otherwise if there is a syntax
mistake it will be highlighted in red.

Correct syntax

Wrong snythax