Wireshark Display Filter Builder

Wireshark is the world's most widely used network protocol analyzer. Network engineers use it to inspect packet captures at the byte level, diagnose application issues, validate encryption, and troubleshoot wireless connectivity problems. Wireshark has two types of filters — capture filters (BPF syntax, applied during capture to limit what is saved) and display filters (Wireshark's own syntax, applied after capture to filter what is shown). Use the builder below or browse the reference sections for the most common filters.

Capture Filter vs Display Filter

Capture Filters (BPF)

Applied before packets are saved
Uses tcpdump/BPF syntax
Reduces file size — only saves matching packets
Cannot be changed after capture starts
Set in: Capture → Options → Filter

host 10.0.0.1 and port 443

Display Filters (Wireshark)

Applied after packets are captured
Uses Wireshark's own syntax
Does not discard packets — just hides them
Can be changed anytime during analysis
Entered in the filter bar at the top

ip.addr == 10.0.0.1 && tcp.port == 443

Display Filter Builder

IP Address

IP Direction

Port

Port Direction

Protocol

TCP Flag

MAC Address

Subnet (CIDR)

Exclude retransmissions

Show TCP errors only

IPv6 only

IPv4 only

▶// Enter values above to build a filter

Basic Display Filters

// IP & Host

Traffic to or from an IP

ip.addr == 10.0.0.1

Traffic from source IP only

ip.src == 10.0.0.1

Traffic to destination IP only

ip.dst == 10.0.0.1

Traffic between two hosts

ip.addr == 10.0.0.1 && ip.addr == 10.0.0.2

Filter by subnet

ip.addr == 192.168.1.0/24

Exclude an IP

!(ip.addr == 10.0.0.1)

Filter by MAC address

eth.addr == aa:bb:cc:dd:ee:ff

// Port & Protocol

Filter by TCP port

tcp.port == 443

Filter by UDP port

udp.port == 53

TCP source port

tcp.srcport == 443

TCP destination port

tcp.dstport == 80

TCP only

tcp

UDP only

udp

ICMP only

icmp

ARP only

arp

// TCP Flags

SYN packets (connection initiation)

tcp.flags.syn == 1 && tcp.flags.ack == 0

SYN-ACK (connection response)

tcp.flags.syn == 1 && tcp.flags.ack == 1

RST packets (connection reset)

tcp.flags.reset == 1

FIN packets (connection close)

tcp.flags.fin == 1

PSH flag set

tcp.flags.push == 1

TCP retransmissions

tcp.analysis.retransmission

TCP errors (retrans, dup ACK, reset)

tcp.analysis.flags

Zero window (receiver buffer full)

tcp.analysis.zero_window

// HTTP / DNS / DHCP

HTTP traffic

http

HTTP GET requests only

http.request.method == "GET"

HTTP POST requests only

http.request.method == "POST"

TLS/HTTPS traffic

tls

TLS Client Hello

tls.handshake.type == 1

DNS traffic

dns

DNS queries only

dns.flags.response == 0

DNS responses only

dns.flags.response == 1

DHCP traffic

dhcp

DHCP Discover

dhcp.option.dhcp == 1

DHCP Request

dhcp.option.dhcp == 3

// VoIP / RTP

SIP traffic

sip

SIP INVITE (call setup)

sip.Method == "INVITE"

RTP (voice/video media streams)

rtp

RTCP (RTP control)

rtcp

SIP or RTP (all VoIP)

sip || rtp || rtcp

RTP jitter analysis

rtp && rtp.marker == 1

// Wireless (802.11)

All 802.11 WLAN frames

wlan

Beacon frames

wlan.fc.type_subtype == 0x0008

Probe requests (client scanning)

wlan.fc.type_subtype == 0x0004

Probe responses

wlan.fc.type_subtype == 0x0005

Authentication frames

wlan.fc.type_subtype == 0x000b

Association requests

wlan.fc.type_subtype == 0x0000

Disassociation frames

wlan.fc.type_subtype == 0x000a

Deauthentication frames

wlan.fc.type_subtype == 0x000c

Filter by BSSID (AP MAC)

wlan.bssid == aa:bb:cc:dd:ee:ff

Filter by SSID name

wlan.ssid == "MyNetwork"

Management frames only

wlan.fc.type == 0

Data frames only

wlan.fc.type == 2

EAPOL (WPA handshake)

eapol

// Capture Filters (BPF syntax)

Capture by host

host 10.0.0.1

Capture by port

port 443

Capture host and port

host 10.0.0.1 and port 443

Capture subnet

net 192.168.1.0/24

Exclude SSH (avoid capturing your own session)

not port 22

TCP only

tcp

UDP only

udp

Working with Display Filters

Wireshark gives you two completely different filter syntaxes, and mixing them up is the most common Wireshark mistake. Capture filters use BPF — the same syntax as tcpdump (host 10.0.0.1 and port 443) — and run in the kernel before packets are saved. Display filters use Wireshark's own protocol-aware syntax (ip.addr == 10.0.0.1 && tcp.port == 443) and run after capture. This builder targets display filters; for capture filters see the tcpdump page, since the syntax is identical.

Display filter operators: == equals, != not equals, && AND, || OR, ! NOT, with parentheses for grouping. Field names are protocol-prefixed: ip.src, tcp.port, http.request.method, wlan.bssid. Wireshark autocompletes these as you type — there are thousands of them, one for almost every parsed field of every supported protocol. The filter bar turns green when valid, red when not, yellow when ambiguous.

The right workflow is to capture broadly and filter narrowly. A capture filter that's too tight throws away packets you can't get back — if your bug turns out to be in some adjacent stream, you're starting over. Better: capture with a loose BPF filter (or none), then use display filters during analysis. The display filter is non-destructive — clear it and the full capture comes back instantly.

A few filters worth memorizing: tcp.flags.reset == 1 finds RST packets, which are often the first sign of a broken connection (firewall reset, app crash, timeout from the other side). tcp.analysis.flags shows everything Wireshark's expert analyzer flagged as anomalous — retransmissions, duplicate ACKs, zero window, out-of-order. http.response.code >= 400 isolates HTTP errors. dns.flags.response == 0 shows only DNS queries (not responses), useful for finding the lookups a misbehaving client is doing. For wireless captures, wlan.fc.type_subtype == 0x000c filters deauthentication frames — the smoking gun for both honest disconnects and deauth-flood attacks.