DISPLAY FILTERS AND COLORING RULES

CONTENT:
 View, edit and create display filters (main toolbar)
 Display Filters button (another way to view, edit and create display filters)
 Display Filter Area (includes auto-complete and error detection)
 Last used display filter drop down list
 Enable/disable all coloring rules
 Launch the Coloring Rules window
 Create or edit coloring rules (double-click on a coloring rule to open)
 Enable/disable the selected coloring rule (line strikeout appears over rule)
 Delete the selected coloring rule (select Clear to reload default coloring rules)

Display Filter Area

The Syntax of the Simplest Display Filters

The simplest display filters are based on a protocol, application, field name, or characteristic.
Display filters are case sensitive. Most of these simple display filters use lower case characters.
Protocol Filters
arp: Displays all ARP traffic including gratuitous ARPs, ARP requests, and ARP replies
ip: Displays all IPv4 traffic including packets that have IPv4 headers embedded in them (such as
ICMP destination unreachable packets that return the incoming IPv4 header after the ICMP
header)
ipv6: Displays all IPv6 traffic including IPv4 packets that have IPv6 headers embedded in them,
such as 6to4, Teredo, and ISATAP traffic
tcp: Displays all TCP-based communications
Application Filters
bootp: Displays all DHCP traffic (which is based on BOOTP).
.
dns: Displays all DNS traffic including TCP-based zone transfers and the standard UDP-based
DNS requests and responses
tftp: Displays all TFTP (Trivial File Transfer Protocol) traffic
http[29]: Displays all HTTP commands, responses and data transfer packets, but does not
display the TCP handshake packets, TCP ACK packets or TCP connection teardown packets
icmp: Displays all ICMP traffic
Field Existence Filters
bootp.option.hostname: Displays all DHCP traffic that contains a host name (DHCP is
based on BOOTP)
http.host: Displays all HTTP packets that have the HTTP host name field. This packet is sent
by the clients when they send a request to a web server
ftp.request.command: Displays all FTP traffic that contains a command, such as the
USER, PASS, or RETR commands
Characteristic Filters
tcp.analysis.flags: Displays all packets that have any of the TCP analysis
flags associated with them—this includes indications of packet loss, retransmissions, or zero
window conditions
tcp.analysis.zero_window: Displays packets that are flagged to indicate the sender has
Learn the Field Names
Many of the display filters you will apply are based on field names (such as http.host). To learn a
field name, select the field in the Packet Display list and look at the Status Bar, as shown in
Figure 58.
In this example, we clicked on frame 10 in the Packet List pane and then expanded the HTTP
header in
the Packet Details pane. When we clicked on the Request Method line in the HTTP section of the
packet, the Status Bar indicated this field is called http.request.method.

We typed http.request.method in the display filter area to display all packets that contain this
Field.
We applied this filter in Figure 59. Notice that the Status Bar indicates that this trace file,
httpbrowse101.
pcapng, contains 2011 packets and only 101 packets match our filter.
This is a great filter to determine what elements are requested by an HTTP client.
Display Filter Comparison Operators
You can expand your filter to look for a particular value in a field. Wireshark supports numerous
comparison operators for this purpose. The following lists Wireshark's seven comparison
operators.
1. == or eq
Example: ip.src == 10.2.2.2
Display all IPv4 traffic from 10.2.2.2
2. != or ne
Example: tcp.srcport != 80
Display all TCP traffic from any port except port 80[31]
3. > or gt
Example: frame.time_relative > 1
Display packets that arrived more than 1 second after the previous packet in the trace file
4. < or lt
Example: tcp.window_size < 1460
Display when the TCP receive window size is less than 1460 bytes
5. >= or ge
Example: dns.count.answers >= 10
Display DNS response packets that contain at least 10 answers
6. <= or lt
Example: ip.ttl < 10
Display any packets that have less than 10 in the IP Time to Live field
7. contains
Example: http contains "GET"
Display all the HTTP client GET requests sent to HTTP servers
Use comparison operators when filtering for TCP-based applications. For example, if you want
to see
your HTTP traffic that runs over port 80, use tcp.port==80.

Question 1.
Did you capture any ICMP traffic?
Question 2.
What protocols are listed for your browsing session to www.google.com?
Now configure Wireshark to capture all your ICMP traffic, and save your traffic to a file called
myicmp.pcapng. Again, ping and browse to www.google.com. Stop the capture and examine the
trace file contents.
Question 3.
How many ICMP packets did you capture?
Question 4.
What ICMP Type and Code numbers are listed in your trace file?

Coloring Rules Interface:

Identify Applied Coloring Rules
Wireshark automatically colors packets based on a default set of coloring rules. If you become
familiar with this default set of colors, you can quickly identify packet types based on their
colors
instead of spending time digging into the packets.
To quickly determine why a packet is colored a certain way, expand the Frame section of the
packet
and look at the Coloring Rule Name and Coloring Rule String lines

Add a Column to Display Coloring Rules in Use

Adding a column to identify coloring rules is a great idea when you are new to Wireshark or you
just aren't familiar with the coloring rules set.

 Click on desire packet.

 Then click on frame and search for color scheme
 Right click on that color and apply as colum in the window.
Enable &Disable Individual Coloring Rules
Go to view and play with different color rules.

Task:
Question 1.
How many frames travel to or from 80.78.246.209?
Question 2.
How many DNS packets are in this trace file?
Question 3.
How many frames have the TCP SYN bit set to 1?
Question 4.
How many frames contain the string "set-cookie" in upper case or lower case?
Question 5.
How many frames contain a TCP delta time greater than 1 second?