Wireshark's display filter expression syntax is quite useful. The filter is applied to Wireshark packet sniffer logoa capture file, when the file has been created. It only displays packets which are matched on filter expression syntax. It is a powerful option, but not for beginner.(Sorry) Dialog type expression filter would be easier, but once used to it. You won't back to dialog type of filter option. Here is a collection of expression syntax options were frequently used.

Comparison Operator

Comparison Operator Description
== Equal to
!= Not Equal to
< Less than
> Greater than
<= Less than or equal to
>= Greater than or equal to


Logical Operator

Logical Operator Description
AND Both expression must be true
OR Either one of the expression must be true
XOR One and only one expression must be true
NOT Neither one of the expression is true


!dns = To filter out all DNS traffic in the capture window

!arp = To filter out all ARP packets in the capture window

!icmp = To filter out all icmp packets in the capture window

frame.pkt_len <= 128 = To show the packets less than 128 bytes in length

ip.addr== = To show all packets with an IP address of

ip.addr== or ip.addr== = To show packets containing either IP address

not multicast and not broadcast = To show only unicast traffic

host www.cisconet.com = To show all traffic from / to www.cisconet.com

host www.cisconet.com and not (port 80) = To show all traffic from /to www.cisconet.com except web(port = 80) traffic

ip.dst== = To show all traffic destined to

ip.src== = To show all traffic sourced from



Ref : Display filter reference : http://www.wireshark.org/docs/dfref/


