[REFERENCE] Wireshark Display Filters 💻

Wirechark has some comprehensive packet filtering capabilities, and display filters let you utilize these multi-pass packet processing capabilities. This goes far beyond just filtering based on IP, port and protocol.

Essential Links:

• Getting Started Guide: https://www.maketecheasier.com/use-display-filters-in-wireshark/
• Basic Filter Syntax: https://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.html
• Full Display Filter Docs: https://www.wireshark.org/docs/dfref/
• Full Protocol References: https://wiki.wireshark.org/ProtocolReference

You can debug filters using the dftest command

Cheat Sheet

I created this list from the Wiki, to be a Ctrl + F personal reference to common display filters

Operators

• eq or ==
• ne or !=
• gt or >
• lt or <
• ge or >=
• le or <=

Logic

• and or && - Logical AND
• or or || - Logical OR
• xor or ^^ - Logical XOR
• not or ! - Logical NOT
• [n] […] - Sub-String Operator

Ethernet

• eth.addr
• eth.dst
• eth.ig
• eth.len
• eth.lg
• eth.multicast
• eth.src
• eth.trailer
• eth.type

IEEE 802.1Q

• vlan.cfi
• vlan.etype
• vlan.id
• vlan.len
• vlan.priority
• `vlan.trailer

IPv4

• ip.addr
• ip.checksum_bad
• ip.checksum_good
• ip.checksum
• ip.dsfield.ce
• ip.dsfield.dscp
• ip.dsfield.ect
• ip.dsfield
• ip.dst_host
• ip.dst
• ip.flags.df
• ip.flags.mf
• ip.flags.rb
• ip.flags
• ip.frag_offset
• ip.fragment.error
• ip.fragment.multipletails
• ip.fragment.overlap.conflict
• ip.fragment.overlap
• ip.fragment.toolongfragment
• ip.fragment
• ip.fragments
• ip.hdr_len
• ip.host
• ip.id
• ip.len
• ip.proto
• ip.reassembled_in
• ip.src_host
• ip.src
• ip.tos.cost
• ip.tos.delay
• ip.tos.precedence
• ip.tos.reliability
• ip.tos.throughput
• ip.tos
• ip.ttl
• ip.version

IPv6

• ipv6.addr
• ipv6.class
• ipv6.dst_host
• ipv6.dst_opt
• ipv6.dst
• ipv6.flow
• ipv6.fragment.error
• ipv6.fragment.id
• ipv6.fragment.more
• ipv6.fragment.multipletails
• ipv6.fragment.offset
• ipv6.fragment.overlap.conflict
• ipv6.fragment.overlap
• ipv6.fragment.toolongfragment
• ipv6.fragment
• ipv6.fragments
• ipv6.hlim
• ipv6.hop_opt
• ipv6.host
• ipv6.mipv6_home_address
• ipv6.mipv6_length
• ipv6.mipv6_type
• ipv6.nxt
• ipv6.opt.pad1
• ipv6.opt.padn
• ipv6.plen
• ipv6.reassembled_in
• ipv6.routing_hdr.addr
• ipv6.routing_hdr.left
• ipv6.routing_hdr.type
• ipv6.routing_hdr
• ipv6.src_host
• ipv6.src
• ipv6.version

ARP

• arp.dst.hw_mac
• arp.dst.proto_ipv4
• arp.hw.size
• arp.hw.type
• arp.opcode
• arp.proto.size
• arp.proto.type
• arp.src.hw_mac
• arp.src.proto_ipv4

TCP

• tcp.ack
• tcp.checksum_bad
• tcp.checksum_good
• tcp.checksum
• tcp.continuation_to
• tcp.dstport
• tcp.flags.ack
• tcp.flags.cwr
• tcp.flags.ecn
• tcp.flags.fin
• tcp.flags.push
• tcp.flags.reset
• tcp.flags.syn
• tcp.flags.urg
• tcp.flags
• tcp.hdr_len
• tcp.len
• tcp.nxtseq
• tcp.options.cc
• tcp.options.ccecho
• tcp.options.ccnew
• tcp.options.echo_reply
• tcp.options.echo
• tcp.options.md5
• tcp.options.mss_val
• tcp.options.mss
• tcp.options.qs
• tcp.options.sack_le
• tcp.options.sack_perm
• tcp.options.sack_re
• tcp.options.sack
• tcp.options.time_stamp
• tcp.options.wscale_val
• tcp.options.wscale
• tcp.options
• tcp.pdu.last_frame
• tcp.pdu.size
• tcp.pdu.time
• tcp.port
• tcp.reassembled_in
• tcp.segment.error
• tcp.segment.multipletails
• tcp.segment.overlap.conflict
• tcp.segment.overlap
• tcp.segment.toolongfragment
• tcp.segment
• tcp.segments
• tcp.seq
• tcp.srcport
• tcp.time_delta
• tcp.time_relative
• tcp.urgent_pointer
• tcp.window_size

UDP

• udp.checksum_bad
• udp.checksum_good
• udp.checksum
• udp.dstport
• udp.length
• udp.port
• udp.srcport

Frame Relay

• fr.becn
• fr.chdlctype
• fr.control.f
• fr.control.ftype
• fr.control.n_r
• fr.control.n_s
• fr.control.p
• fr.control.s_ftype
• fr.control.u_modifier_cmd
• fr.control.u_modifier_resp
• fr.control
• fr.cr
• fr.dc
• fr.de
• fr.dlci
• fr.dlcore_control
• fr.ea
• fr.fecn
• fr.lower_dlci
• fr.nlpid
• fr.second_dlci
• fr.snap.oui
• fr.snap.pid
• fr.snaptype
• fr.third_dlci
• fr.upper_dlci

ICMPv6

• icmpv6.all_comp
• icmpv6.checksum_bad
• icmpv6.checksum
• icmpv6.code
• icmpv6.comp
• icmpv6.haad.ha_addrs
• icmpv6.identifier
• icmpv6.option.cga
• icmpv6.option.length
• icmpv6.option.name_type.fqdn
• icmpv6.option.name_type
• icmpv6.option.name_x501
• icmpv6.option.rsa.key_hash
• icmpv6.option.type
• icmpv6.option
• icmpv6.ra.cur_hop_limit
• icmpv6.ra.reachable_time
• icmpv6.ra.retrans_timer
• icmpv6.ra.router_lifetime
• icmpv6.recursive_dns_serv
• icmpv6.type

PPP

• ppp.address
• ppp.control
• ppp.direction
• ppp.protocol

RIP

• rip.auth.passwd
• rip.auth.type
• rip.command
• rip.family
• rip.ip
• rip.metric
• rip.netmask
• rip.next_hop
• rip.route_tag
• rip.routing_domain
• rip.version

MPLS

• mpls.bottom
• mpls.cw.control
• mpls.cw.res
• mpls.exp
• mpls.label
• mpls.oam.bip16
• mpls.oam.defect_location
• mpls.oam.defect_type
• mpls.oam.frequency
• mpls.oam.function_type
• mpls.oam.ttsi
• mpls.ttl

BGP

• bgp.aggregator_as
• bgp.aggregator_origin
• bgp.as_path
• bgp.cluster_identifier
• bgp.cluster_list
• bgp.community_as
• bgp.community_value
• bgp.local_pref
• bgp.mp_nlri_tnl_id
• bgp.mp_reach_nlri_ipv4_prefix
• bgp.mp_unreach_nlri_ipv4_prefix
• bgp.multi_exit_disc
• bgp.next_hop
• bgp.nlri_prefix
• bgp.origin
• bgp.originator_id
• bgp.type
• bgp.withdrawn_prefix

ICMP

• icmp.checksum_bad
• icmp.checksum
• icmp.code
• icmp.ident
• icmp.mtu
• icmp.redir_gw
• icmp.seq
• icmp.type

DTP

• dtp.neighbor
• dtp.tlv_len
• dtp.tlv_type
• dtp.version
• vtp.neighbor

VTP

• vtp.code
• vtp.conf_rev_num
• vtp.followers
• vtp.md5_digest
• vtp.md_len
• vtp.md
• vtp.seq_num
• vtp.start_value
• vtp.upd_id
• vtp.upd_ts
• vtp.version
• vtp.vlan_info.802_10_index
• vtp.vlan_info.isl_vlan_id
• vtp.vlan_info.len
• vtp.vlan_info.mtu_size
• vtp.vlan_info.status.vlan_susp
• vtp.vlan_info.tlv_len
• vtp.vlan_info.tlv_type
• vtp.vlan_info.vlan_name_len
• vtp.vlan_info.vlan_name
• vtp.vlan_info.vlan_type

HTTP

• http.accept_encoding
• http.accept_language
• http.accept
• http.authbasic
• http.authorization
• http.cache_control
• http.connection
• http.content_encoding
• http.content_length
• http.content_type
• http.cookie
• http.date
• http.host
• http.last_modified
• http.location
• http.notification
• http.proxy_authenticate
• http.proxy_authorization
• http.proxy_connect_host
• http.proxy_connect_port
• http.referer
• http.request.method
• http.request.uri
• http.request.version
• http.request
• http.response.code
• http.response
• http.server
• http.set_cookie
• http.transfer_encoding
• http.user_agent
• http.www_authenticate
• http.x_forwarded_for

Example Usage

(Adapted from Chris Greer's Blog Post)

• ip.addr == 10.0.0.1 - Sets a filter for any packet with 10.0.0.1, as either the source or dest
  
• ip.addr==10.0.0.1 && ip.addr==10.0.0.2 - sets a conversation filter between the two defined IP addresses
• tcp.time_delta > .250 - sets a filter to display all tcp packets that have a delta time of greater than 250mSec in the context of their stream
• tcp.port==4000 - Sets a filter for any TCP packet with 4000 as a source or dest port
• tcp.flags == 0x012 - Displays all TCP SYN/ACK packets - shows the connections that had a positive response. Related to this is tcp.flags.syn==1
• ip.addr == 10.0.0.0/24 - Shows packets to and from any address in the 10.0.0.0/24 space
• frame contains traffic - Displays all packets that contain the word ‘traffic’. Excellent when searching on a specific string or user ID
• !(arp or icmp or stp) - Masks out arp, icmp, stp, or whatever other protocols may be background noise. Allowing you to focus on the traffic of interest
• eth[0x47:2] == 01:80 - This is an example of an offset filter. It sets a filter for the HEX values of 0x01 and 0x80 specifically at the offset location of 0x47
• tcp.analysis.flags && !tcp.analysis.window_update - Displays all retransmissions, duplicate acks, zero windows, and more in the trace. Helps when tracking down slow application performance and packet loss. It will not include the window updates, since these aren't really important for me to see in most cases