learn/phase-3/p3-w7/lesson 02
Week 7 · lesson 2

Wireshark Display Filters

Hands-on. Type each filter into the Packet Lab and watch it work.

What you'll learn

  • Filter by protocol and by IP (ip.addr, ip.src, ip.dst).
  • Filter by TCP/UDP ports and by TCP flags (syn, ack, fin, reset).
  • Combine conditions with && to narrow a capture precisely.

Wireshark Display Filters

A capture has thousands of packets. Display filters are how you find the few that matter. Type each one into the Packet Lab filter bar on the right and watch the list shrink, the bar turns green when the syntax is valid.

Filter by IP

ip                          # any IP packet
ip.addr == 192.168.1.10     # source OR destination is this address
ip.src == 192.168.1.10      # only when it is the source
ip.dst == 8.8.8.8           # only when it is the destination

ip.addr matches either direction; ip.src / ip.dst pin down one.

Filter by protocol

tcp        udp        dns
http       tls        ssl

Bare protocol names keep only packets of that type. http.request and http.response split web traffic by direction:

http.request     # only requests the client sent
http.response    # only responses the server sent

DNS has a handy text match:

dns.qry.name contains "google"

Filter by port

tcp.port == 80      tcp.port == 443
tcp.srcport == 443  tcp.dstport == 80
udp.port == 53

tcp.port matches whether it is the source or destination port; srcport / dstport are specific.

Filter by TCP flags

Flags reveal the state of a TCP conversation:

tcp.flags.syn == 1     # connection starts (SYN and SYN-ACK)
tcp.flags.ack == 1     # acknowledgements
tcp.flags.fin == 1     # graceful close
tcp.flags.reset == 1   # abrupt reset (often a refused or scanned port)

Try tcp.flags.reset == 1, you will find the packet where a scan against port 22 got slammed shut with a RST.

Combine filters

Use && (AND) to require multiple conditions at once:

ip.addr == 192.168.1.10 && tcp
dns && ip.src == 192.168.1.10
tcp.port == 443 && ip.dst == 8.8.8.8

That last one may return zero packets, and that is a real, correct answer: nothing in this capture is HTTPS to the DNS server. Empty results are information too.

Try it

Work down the list: dns, then tcp.port == 443, then tcp.flags.syn == 1, then dns.qry.name contains "google", and finally ip.addr == 192.168.1.10 && tcp. Click the example chips if you want them filled in for you. This is the single most-used skill in everyday traffic analysis.

Check your understanding

3 questions

Type an answer and press Check. Grading is keyword-based and forgiving, so short answers are fine.

  1. 1

    Write a display filter that shows only HTTPS traffic.

  2. 2

    You want only the packets where 192.168.1.10 is the source (not the destination). Which filter field do you use: ip.addr, ip.src, or ip.dst?

  3. 3

    Which filter finds abrupt connection resets, and write a filter for all traffic involving 192.168.1.10 that is also TCP.