In plain English this filter reads, “Pass all traffic containing an IP Address equal to 192.168.1.x.” This will match on both source and destination.
ip.addr == 192.168.1.x
Note the dst. This is short for destination. It reads, “Pass all traffic with a destination IP equal to 192.168.1.x.”
ip.dst == 192.168.1.x
Note the src. This is short for source, which I’m confident you already figured out. It is interchangeable with dst within most filters that use dst and src to determine destination and source parameters. This filter reads, “Pass all traffic with a source IP equal to 192.168.1.x.”
ip.src == 192.168.1.x
This filter reads, “Pass all traffic with an IP greater than or equal to 10.80.211.140 and less than or equal to 10.80.211.242.” Note the “and” within the expression. It’s a logical AND. You could also use “&&” instead of “and.” This will match on both the source and destination.
Aip.addr >= 10.80.211.140 and ip.addr <= 10.80.211.142
Pretty simple, it’s just the Filter by IP expressions joined with an “and.” It reads “pass all traffic with an ip of 192.168.1.x and pass all traffic with and ip of 10.43.54.69.”
ip.addr == 192.168.1.x and ip.addr == 10.43.54.69
Note the ! which is a logical NOT. This reads “pass all traffic that does not have an IP address equal to 192.168.1.x.”
!(ip.addr == 192.168.1.x)
This is very similar to the Filter by IP expression except it uses the CIDR format of a subnet in place of a single IP.
ip.addr == 10.43.54.0/24
Note the tcp and udp in the beginning of the expression. This tells the filter what protocol you want to filter for when returning results that match your port number.
tcp.port == 25
udp.port == 123
Much like the Filter by IP filter this one contains “dst” to specify destination. Alternatively you could use “src” in the expression to specify source.
tcp.dstport == 25
This will search for all packets that contain both 192.168.1.x and TCP port 25 in either the source or destination. It’s advisable to specify source and destination for the IP and Port else you’ll end up with more results than you’re probably looking for. For example:
ip.addr == 192.168.1.x and Tcp.port == 25
This will show all packets with a source address of 192.168.1.x heading to a TCP port of 25.
ip.src == 192.168.1.x and tcp.dstport == 25
Simply enter the protocol abbreviation in the filter field.
Since TCP is a protocol, you just enter TCP into the filter string field.
tcp
Since UDP is a protocol, you just enter UDP into the filter string field.
udp
HTTP is a tricky one. If you truly just want packets using the HTTP protocol you just enter “http” into the filter field. However, this wont show the setup and termination. To see that info as well you’ll want to use the filter:
http
You can read more about this in our article “How to Filter HTTP Traffic in Wireshark.”
tcp.port == 80
HTTPS is a lot like HTTP in that you’ll want to use the port rather than the protocol if you want the bigger picture:
https
Keep in mind that HTTPS traffic is encrypted so unless you have the private key, you wont be able to read the payload.
tcp.port == 443
If you want to filter for the other request methods you can replace “GET” with the appropriate method such as PUT, POST, DELETE, HEAD, OPTIONS, CONNECT, and TRACE.
http.request.method == “GET”
Just like above, you’ll use the “http.request.method” filter and enter POST for the method.
http.request.method == “POST”
This expression requires you put the full url such as www.foxnews.com. Leaving off the www will result in not displaying any packets that say www.foxnews.com.
http.host == "exact.name.here"
This will return packets that have www.foxnews.com as well as foxnews.com and even media2.foxnews.com.
My preference is to use “contains” in place of “==” so that you can return all results that contain foxnews.com.
http.host contains "partial.name.here"
This filter is equivalent to saying “pass all traffic with an arrival time greater than or equal to July 14, 2018 18:04:00 and less than or equal to July 14, 2018 18:40:00.”
A neat trick you can do with frame times is to click on a packet in Wireshark in the packet list pane, then expand Frame in the packet details pane, then right click the Arrival Time and click on Prepare a filter to auto fill the filter string field with beginning of the filter.
frame.time >= "July 14, 2018 18:04:00" && frame.time <= "July 14, 2018 18:40:00"
You simply enter ICMP into the filter string field. See a complete list of ICMP filters.
icmp
ICMP for IPv6 would be:
icmpv6
You simply enter IGMP into the filter string field to see all IGMP based packets. See a complete list of IGMP filters.
igmp
There is no direct method for filtering for a specific application’s traffic. At best you can identify what type of traffic that application uses and filter for that such as filtering for port 25 when looking for traffic from an email application that uses port 25.
An alternative tool to Wireshark for inspecting application related traffic on the windows platform would be.
This might be an over simplistic example but most people searching for “Wireshark Filter Not Equal” are probably trying to figure out how to filter out all packets not equal to a certain ip, subnet, protocol, or port. In those cases, !(filter_expression) is a good fit. As an example:
!(filter_expression)
Will show all packets that do not contain 10.2.2.2 in either the source or destination fields.
!(ip.addr == 10.2.2.2)
You can also use >, <, and, or, and many of the other operators and logical expressions.
frame.number == 500
To see all packets related to the SIP protocol simply enter SIP into the filter string field. You see all the SIP filters.
sip
This filter will show both the TCP packets containing SYN and SYN/ACK. If you only want SYN you can use
tcp.flags.syn == 1
tcp.flags.syn == 1 and tcp.flags.ack == 0
tcp.flags.ack == 1
This filter will show both the TCP packets containing SYN and SYN/ACK.
tcp.flags.syn == 1
Simply enter arp in the display filter string field.
arp
wlan.fc.type_subtype = 0x08
eth.dst == ff:ff:ff:ff:ff:ff
This will show multicast and broadcast. Since broadcast is a type of multicast it’s a valid expression. If you don’t want any broadcast multicast results you can use:
(eth.dst[0] & 1)
(eth.dst[0]&1) && !(eth.dst == ff:ff:ff:ff:ff:ff)
Since DHCP is implemented as an option of BOOTP you can filter on bootp.
bootp
You can use the filter dns. You could also filter on port 53 since that is the port DNS usually uses. You can see all the DNS filters.
dns
If you’re looking for all packets with a specific DSCP value you can use:
This is like saying, “there exists a filed named ip.dsfield.dscp whose value is “value.”
ip.dsfiled.dscp == value
The SMTP, IMAP, and POP filters will get you close when dealing with traditional email traffic. If you’re working another email type, encrypted email, or a nonstandard port you’ll have to filter for the ports you’re using.
smtp
imap
pop
ftp
To make host name filters work you need to enable DNS resolution in the settings under View -> Name Resolution. Then you can use the filter:
ip.host = hostname
ipv6.addr == fe80::f61f:c2ff:fe58:7dcb
kerberos
If you’re using Kerberos v4 use
kerberos4
You could also filter for port 389 since that’s the most common LDAP port.
ldap
eth.addr == 00:70:f4:23:18:c4
This will show all packets containing malformed data.
malformed
tcp.flags.reset == 1
wlan.ssid == SSID
udp.port == 123
Since the time protocol typically uses UDP port 123 you can simply filter for that port. If your time server uses a different port or uses TCP then adjust the filter accordingly.