Wireshark capture filter

The filter is divided into a packet capture filter and a display filter. The packet capture filter discards packets that do not satisfy the filter condition, and only retains the packets that meet the conditions. The display filter filters the captured packets and filters them. A package that meets the conditions.

The display filter can retain all the reported data, which is convenient for later traffic analysis, while the packet capture filter retains limited data, and the later analysis has limitations.

First, the capture filter

Wireshark capture is based on its internal libpcap/wincap library

When you open the software, you can enter the filtering rules directly in the filter field. For example, wireshark2.6 is used as follows.

Capture --> Options



Using the BFP syntax (Berkeley Packet Filter), there are four elements:

  • Type
    • Host, net, port
  • Direction (Dir)
    • Src, dst
  • Agreement (Proto)
    • Ether, ip, tcp, udp, http, ftp
  • Logical Operators

    • &&


    • ||


    • !



The source address is and the destination port is 80.

src host && dst port 80

Crawl traffic from and

host || host

Don’t grab broadcast packets

! broadcast

Filter mac address:

ether host 00:88:ca:86:f8:0d
ether src host 00:88:ca:86:f8:0d
ether dst host 00:88:ca:86:f8:0d

Filter IP address:

src host
dst host

Filter port:

port 80
!port 80
dst port 80
src port 80

Filtering protocol:


Combined logical symbol filtering

host && port 8080

Second, the display filter

To use the display filter, first capture the package with the software, then enter the filter rule in the software filter field:


Comparison character:

  • ==


  • !=

    not equal to

  • >

    more than the

  • <

    Less than

  • >=

    greater or equal to

  • <=

    Less than or equal to

Logical operators:

  • And both conditions are met simultaneously
  • Or one of the conditions is met
  • Xor has one and only one condition is met
  • Not no condition is met

Ip address:

  • Ip.addr ip address
  • Ip.src source ip
  • Ip.dst target ip

Port filtering:

  • Tcp.port
  • Tcp.srcport
  • Tcp.dstport
  • Tcp.flags.syn Filters packets containing syn requests from tcp
  • Tcp.flags.ack filters packets containing ack responses from tcp

Protocol filtering:

Arp, ip, icmp, udp, tcp, bootp, dns, etc.


Filter IP address:

ip.addr ==   filter this ip
ip.src ==  filter soure=ip

Filter port:

tcp.port == 80 
tcp.flags.syn == 1 

Combine logic synthesis:

ip.src == and ip.dst ==