Because Capture Filters  operate at the kernel level before the data reaches Wireshark’s analysis engine, they are incredibly efficient for long-term monitoring or high-traffic environments.

Capture Filters

The Underlying Engine: BPF

Capture filters use the Berkeley Packet Filter, (BPF) syntax. The BPF capture standard is a widely used, highly efficient mechanism for filtering network packets at the operating system kernel level. It allows packet capture tools (like tcpdump and nmap & Wireshark) to analyze, record, and filter traffic based on specific protocols, addresses, or ports before the data is moved from kernel space to user space, significantly improving performance. 

The logic follows a simple structure:

• Type Qualifier: What kind of thing the ID name or number refers to (e.g., host, net, port).

• Direction Qualifier: The direction to/from the ID (e.g., src, dst).

• Protocol: The specific protocol to limit the filter to (e.g., ether, ip, tcp, udp).

Common Filter Primitives

To build a filter, you combine these primitives into expressions. Here are the most frequently used categories:

Host and Network Filters

• host 192.168.1.1: Captures all traffic to and from this IP.

• net 192.168.1.0/24: Captures an entire subnet.

• src host 10.0.0.5: Only captures traffic originating from this specific host.

Port and Protocol Filters

• port 80: Captures HTTP traffic (or any traffic on port 80).

• tcp port 443: Specifically captures HTTPS/TLS traffic.

• portrange 1-1024: Captures all “well-known” ports.

• icmp: Captures only ping requests and error messages.

Logical Operators

You can chain multiple primitives together to create highly specific filters using standard Boolean logic:

Advanced Byte-Offset Filtering

For power users, BPF allows you to look at specific bytes within a packet header. The syntax is proto [ offset : size ].

• Example: ip[0] & 0xf != 5

  • This looks at the first byte of the IP header (offset 0).

  • It checks if the header length is different from 5 (20 bytes), which is a common way to filter for IP options, often used in network testing or attacks.

  • Fortinet has a good document on this

Capture vs. Display Filters: The Key Differences

It is easy to confuse these two, but their roles are fundamentally different:

Note: FortiOS uses note BPF for its dia sniffer commands.  See my article on that.

Pro-Tip: The “Green” Checkmark

In the Wireshark startup screen, the capture filter box will turn green if your BPF syntax is valid and red if it contains an error. Always check the color before hitting “Start,” or you might find yourself staring at an empty capture window wondering where your data went.

Wireshark’s Display Filters are the surgical tools of network analysis. Unlike Capture Filters (which dictate what the NIC records to the disk), Display Filters allow you to hide the noise and focus on specific packets within an already captured file.  This is always usefule when someone has provided you a .pcap file capture on a different platfom (tcpdump, FortiGate,etc.  They use a Boolean-based syntax that can range from a simple protocol name to complex logical expressions.

Basic Syntax and Logic

Display Filters follow a functional pattern: protocol.field.subfield operator value.

Comparison Operators

You can use either English-style abbreviations or C-style symbols:

Logical Connectors

• AND (&&): Both conditions must be true (e.g., ip.addr == 10.0.0.1 && icmp).

• OR (||): Either condition can be true (e.g., tcp.port == 443 || udp.port == 443).

• NOT (!): Excludes the condition (e.g., !dns).

Common Filter Categories

Network Layer (IP)

• ip.addr: Filters for a specific IP as either source or destination.

• ip.src / ip.dst: Filters specifically by source or destination.

• ip.subnets: Filters for an entire range using CIDR notation (e.g., ip.addr == 192.168.1.0/24).

Transport Layer (TCP/UDP)

• tcp.flags.syn == 1: Finds connection requests.

• tcp.analysis.retransmission: Excellent for troubleshooting packet loss and latency.

• udp.port == 53: Specifically targets DNS traffic.

Application Layer (HTTP/DNS/TLS)

• http.request.method == "GET": Shows only HTTP GET requests.

• tls.handshake.type == 1: Filters for Client Hello packets to see which devices are initiating encrypted sessions.

• dns.qry.name contains "facebook": Finds specific domain lookups.

Advanced Filtering Techniques

Membership Operator (in)

Instead of writing multiple OR statements, you can use the in operator to check a set of values:

tcp.port in {80, 443, 8080}

Slicing (Bitmasking)

You can filter based on specific bytes within a protocol using the [n:m] syntax, where n is the offset and m is the length.

eth.src[0:3] == 00:00:5e (Filters for the first three bytes of a MAC address, often identifying the manufacturer).

The “Membership” Trap

A common mistake is using ip.addr != 1.1.1.1 to exclude a host. Because most packets have two IP addresses (source and destination), this filter will still show a packet if either the source or destination is not 1.1.1.1.

Correct way: !(ip.addr == 1.1.1.1).

The Visual Feedback System

The Wireshark filter bar provides real-time feedback as you type:

• Green: Valid syntax.

• Red: Invalid syntax (Wireshark won’t run it).

• Yellow: Valid syntax but might result in unexpected behavior (often seen with “not equal” logic).