Filter Expression Buttons

Filter Expression Buttons are buttons you can create that are based on display filters; these can be used to quickly apply previously-saved display filters to your capture data to identify network and application problems.

For example, to create a Filter Expression Button option that displays just TCP SYN, SYN/ACK, FIN, or RST packets to analyze the TCP session setup parameters, network round-trip delay times, and session terminations:

1. Type the following display filter string into the Filter textbox on the Display Filter Bar:

   (tcp.flags&02 && tcp.seq==0) ||  (tcp.flags&12 && tcp.seq==0) || (tcp.flags.ack && tcp.seq==1 && !tcp.nxtseq > 0 && !tcp.ack >1)  || tcp.flags.fin == 1 || tcp.flags.reset ==1

2. Clicking on Apply will apply this filter to a capture that you have loaded so that you can confirm that it is working properly.
3. Then, click on Save and give the button a name, such as TCP Handshake (as illustrated in the following screenshot). Then, click on OK:
   

The filter expression buttons you create will appear on the right-hand side of the initial controls in the display filter bar, as illustrated in the following screenshot:

The filter expression button definitions are stored in the preferences file for the profile you are using. You can edit the button display order, edit the name or filter syntax, or delete the buttons in Wireshark's Preferences window.

Using the Expressions window button

To the right-hand side of the textbox on the display filter toolbar is the Expression button. Clicking on this button opens a Filter Expression window that allows you to select a protocol and the extension to that protocol, one of the appropriate relation (comparison) operators, and assign a comparison value. Click on OK to populate the display filter textbox with the resultant display filter syntax and then click on Apply to apply the filter.

Right-click menus on specific packet fields

If you right-click on a specific field in the Packet List or Packet Details panes, you can select the Apply as Filter or Prepare a Filter option and the required submenu option to create display filter syntax, as illustrated in the following screenshot. This is a very quick way of creating display filter syntax:

If you are selecting a field and using the right-click functionality to create display filter syntax, it is usually better to use the Prepare a Filter option, which will allow you to edit the syntax before clicking on Apply to apply the filter.

Note

Clicking on a protocol field in the Packet Details pane results in that field and the display filter syntax that reflects that field to be displayed in the bottom-left Status bar field. This is very helpful for starting a display filter string that will use a particular field.