Articles

Wireshark Display Filters Cheatsheet: Every Operator (2026)

April 6, 2026 4 min read

Wireshark display filters are the secret sauce that turns a firehose of network traffic into actionable intelligence.

Here’s a look at Wireshark’s display filter capabilities, from the most basic to the downright obscure.

The Anatomy of a Filter

A Wireshark display filter is a string of characters that tells Wireshark what packets to show and what to hide. They operate on fields within the packet dissection, not on the raw bytes. This means you’re filtering based on things like IP addresses, port numbers, protocol names, and specific flags, not just byte patterns.

The basic structure is field operator value.

  • Field: This is the specific piece of information you want to inspect. Examples include ip.addr, tcp.port, http.request.method.
  • Operator: This determines how the value is compared to the field.
  • Value: This is the data you’re looking for.

Core Operators: The Bread and Butter

These are the ones you’ll use 90% of the time.

  • Equality (==): Checks if a field is exactly equal to a value.
    • ip.addr == 192.168.1.100 (Show packets where either source or destination IP is 192.168.1.100)
  • Inequality (!=): Checks if a field is not equal to a value.
    • tcp.port != 80 (Show TCP packets where neither source nor destination port is 80)
  • Greater Than (>): Checks if a field is numerically greater than a value.
    • frame.len > 1000 (Show packets larger than 1000 bytes)
  • Less Than (<): Checks if a field is numerically less than a value.
    • tcp.analysis.retransmission < 1 (Show TCP packets that are not retransmissions)
  • Greater Than or Equal To (>=):
    • frame.time_relative >= 60 (Show packets that arrived 60 seconds after the capture started)
  • Less Than or Equal To (<=):
    • tcp.window_size <= 1024 (Show TCP packets with a window size of 1024 or less)

Logical Operators: Combining Conditions

These allow you to build complex filter expressions.

  • AND (&& or and): Both conditions must be true.
    • ip.src == 10.0.0.5 && tcp.dstport == 443 (Show packets from 10.0.0.5 and destined for TCP port 443)
  • OR (|| or or): At least one of the conditions must be true.
    • http.request.method == "GET" || http.request.method == "POST" (Show HTTP requests that are either GET or POST)
  • NOT (! or not): Negates the condition that follows.
    • !arp (Show all packets that are not ARP)

Membership and Range Operators: Working with Sets

  • In (member): Checks if a field’s value is present in a list of values.
    • ip.addr in {192.168.1.10, 192.168.1.20, 192.168.1.30} (Show packets involving any of these three IP addresses)
  • Not In (!member): Checks if a field’s value is not present in a list.
    • tcp.port !in {22, 23, 25} (Show TCP packets not using SSH, Telnet, or SMTP)
  • Range (..): Checks if a field’s value falls within a specified range (inclusive).
    • tcp.port in {1024..49151} (Show TCP traffic using ephemeral or registered ports)

Bitwise Operators: For the Detail-Oriented

These are powerful for inspecting individual flags or specific bits within a field.

  • Bitwise AND (&): Checks if specific bits are set.
    • tcp.flags & 0x02 (Show TCP packets with the SYN flag set. 0x02 is the binary 00000010)
  • Bitwise OR (|): Checks if specific bits are set.
    • tcp.flags | 0x10 (Show TCP packets with the PSH flag set. 0x10 is the binary 00010000)
  • Bitwise XOR (^): Checks for exclusive bits.
  • Bitwise Shift Left (<<):
  • Bitwise Shift Right (>>):

Example of using bitwise operators with flags: To find TCP packets with both SYN and ACK flags set: tcp.flags & 0x03 == 0x03 (SYN is 0x02, ACK is 0x01. 0x02 | 0x01 = 0x03. We’re checking if the bits corresponding to SYN and ACK are both set in the tcp.flags field).

String Operators: Textual Matching

These are for filtering based on text content, often within application-layer protocols.

  • Contains (contains): Checks if a string field contains a substring.
    • http.request.uri contains "/api/" (Show HTTP requests where the URI includes "/api/")
  • Matches (matches): Uses a regular expression for more complex pattern matching.
    • http.request.method matches "GET|POST" (Equivalent to the OR example above, but using regex)
    • dns.qry.name matches "\\.google\\.com$" (Show DNS queries for hostnames ending in ".google.com")
  • Starts With (startswith):
    • smb.file.name startswith "report_"
  • Ends With (endswith):
    • smb.file.name endswith ".pdf"

Special Field Types and Operators

  • Protocol Presence (protocol): Checks if a protocol is present in the packet.
    • tcp (Show all TCP packets)
    • http (Show all HTTP packets)
    • !icmp (Show all packets that are not ICMP)
  • Frame Number (frame.number):
    • frame.number >= 1000 && frame.number <= 2000 (Show packets from frame 1000 to 2000)
  • Time (frame.time_relative, frame.time_delta):
    • frame.time_relative > 120 (Packets after 2 minutes into the capture)
    • frame.time_delta < 0.001 (Packets arriving less than 1ms after the previous one)
  • Length (frame.len):
    • frame.len < 64 (Show packets smaller than 64 bytes, often indicative of small control packets or malformed data)

Combining Everything: The Power of Compound Filters

You can string together many of these. For example, to find all HTTP GET requests for images from a specific IP address that are larger than 5000 bytes:

ip.addr == 192.168.1.100 && http.request.method == "GET" && http.request.uri matches "\\.(jpg|png|gif)$" && frame.len > 5000

The Next Step: Display Filter Syntax in Tshark

Once you’ve mastered these display filter operators, you’ll want to apply them directly from the command line using tshark.

More Deep Dives in Wireshark

Want structured learning?

Take the full Wireshark course →