Wireshark Display Filter Examples (Filter by Port, IP, Protocol)

by Himanshu Arora on July 23, 2012

While debugging a particular problem, sometimes you may have to analyze the protocol traffic going out and coming into your machine. Wireshark is one of the best tool used for this purpose. In this article we will learn how to use Wireshark network protocol analyzer display filter.

1. Download and Install Wireshark

Download wireshark from here.

After downloading the executable, just click on it to install Wireshark.

2. Select an Interface and Start the Capture

Once you have opened the wireshark, you have to first select a particular network interface of your machine. In most of the cases the machine is connected to only one network interface but in case there are multiple, then select the interface on which you want to monitor the traffic.

From the menu, click on ‘Capture –> Interfaces’, which will display the following screen:

3. Source IP Filter

A source filter can be applied to restrict the packet view in wireshark to only those packets that have source IP as mentioned in the filter. The filter applied in the example below is:

ip.src == 192.168.1.1

4. Destination IP Filter

A destination filter can be applied to restrict the packet view in wireshark to only those packets that have destination IP as mentioned in the filter. For example:

ip.dst == 192.168.1.1

5. Filter by Protocol

Its very easy to apply filter for a particular protocol. Just write the name of that protocol in the filter tab and hit enter. In the example below we tried to filter the results for http protocol using this filter:

http

6. Using OR Condition in Filter

This filter helps filtering the packets that match either one or the other condition.

Suppose, there may arise a requirement to see packets that either have protocol ‘http’ or ‘arp’. In that case one cannot apply separate filters. So there exists the ‘||’ filter expression that ORs two conditions to display packets matching any or both the conditions. In the example below, we tried to filter the http or arp packets using this filter:

http||arp

7. Applying AND Condition in Filter

This filter helps filtering packet that match exactly with multiple conditions.

Suppose there is a requirement to filter only those packets that are HTTP packets and have source ip as ’192.168.1.4′. Use this filter:

http&&ip.src==192.168.1.4

8. Filter by Port Number

This can be done by using the filter ‘tcp.port eq [port-no]‘. For example:

tcp.port eq 80

9. Match Packets Containing a Particular Sequence

The filter syntax used in this is : ‘[prot] contains [byte sequence]‘.

For example:

tcp contains 01:01:04

10. Reject Packets Based on Source or Destination

Filter here is ‘ip.src != [src_addr]‘ or ‘ip.dst != [dst_add]‘.

For example:

ip.dst != 192.168.1.1

Linux Sysadmin Course Linux provides several powerful administrative tools and utilities which will help you to manage your systems effectively. If you don’t know what these tools are and how to use them, you could be spending lot of time trying to perform even the basic administrative tasks. The focus of this course is to help you understand system administration tools, which will help you to become an effective Linux system administrator.
Get the Linux Sysadmin Course Now!

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

{ 11 comments… read them below or add one }

1 bob July 23, 2012 at 8:32 am

Been looking for something like this for years. All the other tutorials/help is too complicated.

2 ateh July 23, 2012 at 8:35 am

thanks!!!

3 logoff July 24, 2012 at 12:22 am

In addition to this, you can click the ‘Expression…’ button to discover all the filters.

4 Pierre B. July 25, 2012 at 4:52 am

Thx TGS! Wireshark is quiet useful for any [sys-net]admin.

5 PatC October 25, 2012 at 10:01 am

This is really a great help…tks

6 rish December 14, 2012 at 4:52 pm

how to filter based upon eigrp rip ospf and any command for ipv6 routing

7 Const March 22, 2013 at 7:36 pm

Your #5 doesn’t work, it also founds SSDP packets with HTTP in the body.

8 David May 10, 2013 at 8:51 am

Wanted to point out that in #10 you never want to do that.

Always do (!ip.dst==192.168.1.1)

9 sadi June 18, 2013 at 1:04 am

I agree with David !!

10 Maia September 10, 2013 at 9:16 pm

@David – You get the same result if you use the expression

!ip.dst == 192.168.1.1 or ip.dst != 192.168.1.1

However what you do want to avoid is using the expression

ip.addr != 192.168.1.1

11 Jesse Chisholm February 11, 2014 at 3:36 pm

re: point 5 : filter by protocol

If you want to see just SSDP packets, WireShark has no pre-defined filter.

The best I’ve come up with is this:

(udp contains “HTTP/1.1″) and ((udp contains 0a:53:54:3a) or (udp contains 0a:59:54:3a))

The hex parts are the strings “ST:” and “NT:” at the beginning of a line.

-Jesse

Leave a Comment

Previous post:

Next post: