Screen version
Adjacent Node
Networking, explained. No BS.

Wireshark Display Filters

What It Is

Wireshark display filters control which packets are shown after capture. They do not reduce what was captured. Use display filters to isolate a conversation, protocol, error, retransmission, handshake, DNS name, VLAN, WLAN frame, or TCP stream while keeping the original packet evidence intact.

Modern note: Capture filters and display filters are different languages. tcp port 443 is a capture filter. tcp.port == 443 is a Wireshark display filter.

Operators

Operator Alias Meaning Example
== eq Equal ip.addr == 10.0.0.10
!= ne Not equal tcp.port != 22
> gt Greater than frame.len > 1500
< lt Less than tcp.len < 100
>= ge Greater or equal ip.ttl >= 64
<= le Less or equal tcp.window_size <= 1024
contains none Contains bytes or text dns.qry.name contains "example"
matches ~ Regex match http.host matches "example\.com"
in none Set membership tcp.port in {80 443 8443}
and && Logical AND ip.addr == 10.0.0.10 and tcp
or || Logical OR dns or arp
not ! Logical NOT not arp

Watch out: A Boolean field can exist even when the bit is not set. For TCP flags, prefer explicit comparisons like tcp.flags.syn == 1.

Core Fields

Layer Useful Fields
Frame frame.number, frame.time, frame.len, frame.protocols
Ethernet eth.addr, eth.src, eth.dst, eth.type
VLAN vlan.id, vlan.priority, vlan.etype
ARP arp.opcode, arp.src.proto_ipv4, arp.dst.proto_ipv4, arp.src.hw_mac
IPv4 ip.addr, ip.src, ip.dst, ip.ttl, ip.proto, ip.dsfield.dscp
IPv6 ipv6.addr, ipv6.src, ipv6.dst, ipv6.nxt, ipv6.hlim
ICMP icmp.type, icmp.code
ICMPv6 icmpv6.type, icmpv6.code, ndp
TCP tcp.port, tcp.srcport, tcp.dstport, tcp.flags, tcp.stream
UDP udp.port, udp.srcport, udp.dstport, udp.length
DNS dns.qry.name, dns.a, dns.aaaa, dns.flags.rcode
TLS tls, tls.handshake, tls.handshake.extensions_server_name
HTTP http.request, http.response, http.host, http.request.uri
WLAN wlan, wlan.sa, wlan.da, wlan.bssid, wlan.fc.type_subtype

Everyday Filters

Goal Display Filter
Host traffic ip.addr == 10.0.0.10
Two hosts ip.addr == 10.0.0.10 and ip.addr == 10.0.0.20
IPv6 host ipv6.addr == 2001:db8::10
Subnet ip.addr == 10.0.20.0/24
TCP or UDP port tcp.port == 443 or udp.port == 443
DNS queries dns.flags.response == 0
DNS failures dns.flags.rcode != 0
ARP arp
VLAN ID vlan.id == 20
TCP stream tcp.stream == 4
HTTP requests http.request
TLS handshakes tls.handshake
QUIC quic or udp.port == 443
DHCPv4 bootp
DHCPv6 dhcpv6
ICMPv6 neighbor discovery icmpv6 or ndp

TCP Analysis Filters

Goal Display Filter
SYN packets tcp.flags.syn == 1 and tcp.flags.ack == 0
SYN/ACK packets tcp.flags.syn == 1 and tcp.flags.ack == 1
Resets tcp.flags.reset == 1
FIN packets tcp.flags.fin == 1
Retransmissions tcp.analysis.retransmission
Fast retransmissions tcp.analysis.fast_retransmission
Duplicate ACKs tcp.analysis.duplicate_ack
Zero window tcp.analysis.zero_window
Window updates tcp.analysis.window_update
Out of order tcp.analysis.out_of_order
Lost segment warning tcp.analysis.lost_segment
TCP payload tcp.len > 0

Watch out: TCP analysis flags are Wireshark interpretations. They are useful clues, not proof by themselves. Always check sequence numbers, timing, and capture position.

Wireless Filters

Goal Display Filter
All 802.11 wlan
Management frames wlan.fc.type == 0
Control frames wlan.fc.type == 1
Data frames wlan.fc.type == 2
Beacon frames wlan.fc.type_subtype == 8
Probe requests wlan.fc.type_subtype == 4
Probe responses wlan.fc.type_subtype == 5
Authentication wlan.fc.type_subtype == 11
Association requests wlan.fc.type_subtype == 0
Deauthentication wlan.fc.type_subtype == 12
Disassociation wlan.fc.type_subtype == 10
BSSID wlan.bssid == aa:bb:cc:dd:ee:ff
Station address wlan.addr == aa:bb:cc:dd:ee:ff

Modern note: Useful WLAN packet analysis usually requires monitor mode and the right channel. A normal client capture often misses management frames and other clients.

Workflow

  • Start with a broad display filter like ip.addr == 10.0.0.10.
  • Add the protocol or port once the conversation is visible.
  • Use packet details to right-click fields and apply them as filters.
  • Follow TCP stream only after you know the stream is relevant.
  • Use time display settings that match logs.
  • Save filtered packet sets only as derived evidence. Keep the original pcap unchanged.

Cisco IOS/IOS-XE Examples

Use Wireshark display filters after exporting embedded captures from routers, switches, firewalls, or wireless controllers.

monitor capture buffer CAP-BUF export flash:issue.pcap

Typical post-export filters:

ip.addr == 10.0.0.10 and tcp.port == 443
dns.qry.name contains "adjacentnode"
tcp.analysis.retransmission or tcp.analysis.zero_window

Notes:

  • Cisco capture filters limit what is captured. Wireshark display filters limit what you see afterward.
  • Export the pcap before clearing capture buffers.
  • Keep platform time synchronized so packet timestamps line up with logs.

Troubleshooting

Symptom Check Likely Cause
Filter returns nothing Field name, protocol decode, capture point Wrong field or traffic not captured
Capture filter works but display filter fails Syntax language BPF used in display filter bar
TLS hides payload SNI, cert, IPs, timing Encryption working as designed
DNS name not visible DoH, DoT, cache, encrypted client DNS not in plaintext capture
TCP errors look severe Capture point, offload, packet loss Local capture artifact or real loss
Wireless frames missing Monitor mode, channel, adapter support Capture setup issue

Watch Out

  • Do not filter away evidence too early.
  • Do not confuse ip.addr == A and ip.addr == B with impossible source and destination logic. It means both addresses appear in the packet.
  • Do not assume HTTP fields exist inside HTTPS.
  • Do not rely on display filters to sanitize sensitive data.
  • Do not ignore capture location. Client-side, server-side, and SPAN captures tell different stories.

References