Summary: Wireshark display filter syntax reference covering IP, protocol, port, MAC, TCP flags, HTTP, DNS, DHCP, ICMP, and common troubleshooting combinations.
Wireshark display filters are applied after capture to show only matching packets. They use Wireshark's own field-based syntax — distinct from BPF capture filters. Filters reference protocol field names (e.g. ip.addr, tcp.flags.syn) rather than raw packet offsets.
Comparison operators: ==, !=, >, <, >=, <=, contains, matches (regex).
Logical operators: && (and), || (or), ! (not). Parentheses enforce precedence.
| Filter |
What It Shows |
ip.addr == 10.1.1.50 |
All packets involving this IP (src or dst) |
ip.src == 10.1.1.50 |
Packets sourced from this IP |
ip.dst == 10.1.1.50 |
Packets destined for this IP |
ip.addr == 10.1.1.0/24 |
All packets to or from this subnet |
ip.src == 10.1.1.0/24 |
Packets sourced from this subnet |
!(ip.addr == 10.1.1.1) |
Exclude a host (suppress gateway noise) |
ip.addr == 10.1.1.10 && ip.addr == 10.1.1.20 |
Traffic between exactly these two hosts |
ip.ttl < 10 |
Packets with TTL under 10 — near-expired, useful for traceroute analysis |
| Filter |
What It Shows |
tcp |
All TCP |
udp |
All UDP |
icmp |
All ICMP |
icmpv6 |
All ICMPv6 |
arp |
All ARP |
dns |
DNS (UDP/TCP port 53) |
http |
HTTP (unencrypted, port 80) |
tls |
TLS — covers HTTPS and any TLS-wrapped traffic |
dhcp |
DHCP (use bootp on older Wireshark versions) |
ospf |
OSPF routing protocol |
bgp |
BGP |
| Filter |
What It Shows |
tcp.port == 443 |
TCP port 443, either direction |
tcp.dstport == 80 |
TCP packets destined for port 80 |
tcp.srcport == 443 |
TCP packets sourced from port 443 |
udp.port == 53 |
UDP port 53 (DNS) |
tcp.port >= 1024 |
Ephemeral port range |
tcp.port == 80 \|\| tcp.port == 443 |
HTTP and HTTPS |
!(tcp.port == 22) |
Exclude SSH |
| Filter |
What It Shows |
eth.addr == aa:bb:cc:dd:ee:ff |
All frames to or from this MAC |
eth.src == aa:bb:cc:dd:ee:ff |
Frames sourced from this MAC |
eth.dst == aa:bb:cc:dd:ee:ff |
Frames destined for this MAC |
eth.dst == ff:ff:ff:ff:ff:ff |
Broadcast frames |
eth.dst[0] & 1 |
Multicast frames (LSB of first octet set) |
| Filter |
What It Shows |
tcp.flags.syn == 1 |
Any packet with SYN set (new connections and SYN-ACKs) |
tcp.flags == 0x002 |
SYN only — new connection attempts |
tcp.flags == 0x012 |
SYN-ACK — server accepting connections |
tcp.flags.rst == 1 |
TCP RST — connection resets |
tcp.flags.fin == 1 |
TCP FIN — graceful teardown |
tcp.flags.push == 1 && tcp.flags.ack == 1 |
PSH-ACK — active data transfer |
| Filter |
What It Shows |
tcp.analysis.retransmission |
Retransmitted segments |
tcp.analysis.out_of_order |
Out-of-order segments |
tcp.analysis.duplicate_ack |
Duplicate ACKs (common ahead of retransmission) |
tcp.analysis.zero_window |
Zero window advertisements — sender blocked by receiver |
tcp.analysis.window_full |
Sender's window is full |
tcp.analysis.fast_retransmission |
Fast retransmit triggered by duplicate ACKs |
| Filter |
What It Shows |
http.request |
All HTTP requests |
http.response |
All HTTP responses |
http.request.method == "GET" |
GET requests only |
http.request.method == "POST" |
POST requests only |
http.response.code == 200 |
HTTP 200 OK |
http.response.code == 404 |
HTTP 404 Not Found |
http.response.code >= 400 |
All HTTP error responses (4xx and 5xx) |
http.host == "example.com" |
Requests to a specific Host header |
http.host contains "google" |
Requests where Host contains a string |
http.request.uri contains "login" |
Requests with a URI containing a string |
http.cookie |
Requests carrying a Cookie header |
⚠️ HTTPS / TLS
HTTP filters only match unencrypted HTTP. TLS-encrypted traffic (HTTPS, port 443) shows as tls — use tls or tcp.port == 443 and decrypt separately via SSL key log file.
| Filter |
What It Shows |
dns |
All DNS traffic |
dns.flags.response == 0 |
DNS queries only |
dns.flags.response == 1 |
DNS responses only |
dns.qry.name == "example.com" |
Query for an exact name |
dns.qry.name contains "microsoft" |
Queries where the name contains a string |
dns.resp.name == "example.com" |
Responses for an exact name |
dns.flags.rcode != 0 |
DNS errors — non-zero response code (NXDOMAIN, SERVFAIL, etc.) |
dns.flags.rcode == 3 |
NXDOMAIN — name does not exist |
dns.qry.type == 1 |
A record queries |
dns.qry.type == 28 |
AAAA record queries |
dns.qry.type == 5 |
CNAME queries |
dns.qry.type == 15 |
MX queries |
| Filter |
What It Shows |
dhcp |
All DHCP traffic (use bootp on Wireshark < 3.0) |
dhcp.option.dhcp == 1 |
DISCOVER — client searching for a server |
dhcp.option.dhcp == 2 |
OFFER — server responding with an address |
dhcp.option.dhcp == 3 |
REQUEST — client requesting the offered address |
dhcp.option.dhcp == 5 |
ACK — server confirming the lease |
dhcp.option.dhcp == 6 |
NAK — server rejecting the request |
dhcp.hw.mac_addr == aa:bb:cc:dd:ee:ff |
DHCP traffic for a specific client MAC |
| Filter |
What It Shows |
icmp |
All ICMP |
icmp.type == 8 |
Echo request (ping outbound) |
icmp.type == 0 |
Echo reply (ping response) |
icmp.type == 3 |
Destination unreachable |
icmp.code == 3 && icmp.type == 3 |
Port unreachable (type 3, code 3) |
icmp.type == 11 |
TTL exceeded — traceroute hops |
icmp.type == 5 |
Redirect messages |
ip.addr == 10.1.1.10 && ip.addr == 10.1.1.20
ip.addr == 10.1.1.100 && !(tcp.port == 22)
http.request && http.host == "intranet.example.com"
http.response.code >= 400
¶ DNS failures only (NXDOMAIN or SERVFAIL)
dns.flags.rcode != 0
dhcp && dhcp.hw.mac_addr == aa:bb:cc:dd:ee:ff
¶ TCP connection problems (resets and retransmissions)
tcp.flags.rst == 1 || tcp.analysis.retransmission
tcp.flags == 0x002 || (tcp.flags.rst == 1 && tcp.flags.ack == 0)
tcp && frame.time_delta > 1
¶ All TLS handshakes (client hellos)
tls.handshake.type == 1
tls.handshake.extensions_server_name contains "example.com"
icmp.type == 3
ip.len > 1400
¶ Exclude broadcast and multicast
!(eth.dst == ff:ff:ff:ff:ff:ff) && !(eth.dst[0] & 1)
- Wireshark display filters are not the same as BPF capture filters — display filters use field names like
ip.addr; BPF uses offset syntax like host. Both can be active at once.
- Right-click any field in the packet detail pane and choose "Apply as Filter" to build filters from live packet content without typing.
- Use "Prepare as Filter" instead of "Apply as Filter" to stage a filter in the bar without immediately applying it — useful for building complex expressions.
- Colour rules (View → Coloring Rules) can highlight specific filter matches without hiding other traffic.
frame.time_delta measures time since the previous packet in the capture; frame.time_delta_displayed measures time since the previous displayed packet — useful when filtering.- Save frequently used filters as bookmarks using the
+ button in the display filter bar.