Display Filters
Display filters are used after traffic has already been captured. They do not remove packets from the capture. They only control what is shown on screen.
Wireshark captures a huge amount of traffic, often within just a few seconds. Without filters, the packet list can become overwhelming and difficult to read.
That is why filtering is one of the most important skills to learn. Filters help a user narrow the traffic down so a user can focus only on the packets that matter for a specific task.
Instead of looking through every packet, a user can instantly isolate specific traffic such as DNS requests, HTTP conversations, TCP connections, or packets from a particular IP address.
In short, filters turn Wireshark from a flood of data into something a user can actually analyze.
Display filters are used after traffic has already been captured. They do not remove packets from the capture. They only control what is shown on screen.
Capture filters are applied before the traffic is captured. They tell Wireshark what to collect and what to ignore from the start.
These are useful when a user wants smaller, more targeted captures, but they are less forgiving because traffic that is not captured cannot be reviewed later.
Here are some common display filters a user can use right away:
dnsShows DNS queries and responses.
httpShows HTTP traffic if it is visible in the capture.
tcpShows all TCP packets.
ip.addr == 192.168.1.10Shows packets to or from a specific device.
tcp.port == 443Shows traffic using a specific port.
tcp.analysis.retransmissionHelps identify possible network performance issues.
dns or tcpIf the filter is valid, Wireshark will update the packet list immediately. If there is a syntax problem, the filter bar will alert you.