Wireshark filters are not just for seeing traffic; they’re how you isolate the specific conversations you care about in a sea of packets.
Let’s see this in action. Imagine you’re troubleshooting a web server that’s only accessible from a specific client IP address. You’ve captured traffic on the server, and it’s a mess. You want to see only the HTTP traffic from that one client.
Here’s the filter: ip.addr == 192.168.1.100 and tcp.port == 80
When you apply this, your Wireshark window will instantly clear, showing only packets where the source or destination IP address is 192.168.1.100 and the TCP port is 80. This is the standard HTTP port.
This filter breaks down into two main parts connected by and. The ip.addr == 192.168.1.100 part tells Wireshark to look at the IP layer of each packet and check if either the source or destination IP address matches 192.168.1.100. If it does, the packet passes this first test.
The second part, tcp.port == 80, then checks the TCP layer of the packets that already passed the IP test. It verifies if either the source or destination TCP port is 80. Only if both conditions are met does the packet appear in your filtered view.
You can also filter by UDP ports. If you were looking for DNS traffic, which typically uses UDP port 53, you’d use: udp.port == 53.
What if you want to see traffic to or from a specific IP address, but on any port? You’d simply omit the port condition: ip.addr == 192.168.1.100.
Conversely, if you want to see traffic on a specific port, regardless of the IP address, you can do that too. For example, to see all SSH traffic (TCP port 22): tcp.port == 22.
Combining multiple IP addresses is also possible. To see traffic between two specific clients: (ip.addr == 192.168.1.100) or (ip.addr == 192.168.1.150). The parentheses are important for grouping.
You can also filter by protocol directly. For instance, to see only ARP traffic: arp. Or ICMP: icmp.
This ability to precisely target traffic is fundamental. For example, if a web application is slow, you might filter for tcp.port == 80 and ip.addr == 192.168.1.100 to see only the requests and responses between your client and the web server. Then, you can examine the TCP flags (like SYN, ACK, FIN) and the packet timings to diagnose connection issues or latency.
Consider a scenario where you suspect a device is flooding the network with UDP packets on port 123 (NTP). You can isolate this with udp.port == 123. If you know the IP of the suspect device, say 10.0.0.5, the filter becomes ip.addr == 10.0.0.5 and udp.port == 123. This allows you to quickly verify if that specific device is indeed the source of the traffic.
The "display filter" syntax in Wireshark is powerful because it leverages a clear, readable structure. field operator value. For IP addresses, ip.addr checks both source and destination. If you need to be more specific, you can use ip.src or ip.dst. Similarly, for TCP, you have tcp.srcport and tcp.dstport.
The or operator is useful when you want to see traffic involving any of a set of IPs or ports. For example, to see traffic from your client to either the web server (192.168.1.200) or the database server (192.168.1.210) on port 3306 (MySQL): ip.addr == 192.168.1.100 and (tcp.dstport == 3306 and (ip.dst == 192.168.1.200 or ip.dst == 192.168.1.210)). This is getting complex, but it shows the granular control you have.
One of the most overlooked aspects of IP filtering is the concept of "network" or "subnet" matching. Instead of listing every IP in a range, you can use CIDR notation. For example, to see all traffic within the 192.168.1.0/24 subnet, you can use ip.addr == 192.168.1.0/24. This is incredibly efficient when dealing with large networks.
The real magic happens when you start combining these filters with logical operators like and, or, and not. For instance, to see all HTTP traffic except from a specific known good client: tcp.port == 80 and not ip.addr == 192.168.1.50. This allows you to exclude noise and focus on anomalies.
Understanding how to filter by IP, port, and protocol is the first step to becoming proficient with Wireshark. The next logical step is to learn about filtering based on packet content and flags.