-
Notifications
You must be signed in to change notification settings - Fork 0
How to use Wireshark's display filter
griffinsnest edited this page Feb 12, 2021
·
1 revision
When looking at a capture in Wireshark you can filter the contents to specific ones through the use of the display filter. This can be done by going to the big search bar you should be able to see near the top of the Wireshark capture window. Inside this search bar, one can check for the presence of a protocol or field such as only displaying ARP packets, or potentially even with comparing two fields to each other. These comparisons can be combined with logical operators, like "and" and "or", and parentheses into complex expressions to thoroughly search the results of the capture for any specific packets to either confirm that correct transfer happened or to find a packet with information you need but don't have.