Networking/Computing Tips/Tricks

Rate this content:
5 of 5 - 1 votes
Thank you for rating this article.

Check out these great references as well: 

 Our custom profiles repository for Wireshark
 Our Udemy course on Wireshark 
 Our Udemy course on Wireless Packet capture

If you are a Wireshark power user, you know the importance of complex display filters to narrow searches for very particular items.  The challenge can be to recall these filters, end edit them in different analysis cases.  Also, if you want to be able to replace addresses, the possibility of typos and time being lost becomes evident, if not frustrating.

Luckily Wireshark has a very little known capability called display filter macros.  In the entire Wireshark web site, there may be 10 total sentences dedicated to the capability.  Ok it might be 12 sentences.

Here is how it works.  You have to define the macro first, using variables, that when you execute the macro, the variables are then inserted.  Let's start with a really simple one that you probably would never actually define because, like most of us, you know the filter by heart:  the ip.addr == a.b.c.d filter.


Creating Your First Simple Display FIlter Macro

To define the macro select Analyze> Display Filter Macros and you will get the following pop-up:

Screen Shot 2017 06 24 at 6.29.44 PM

As with any of the Wireshark lists, click the "+" sign to add a macro.

Enter the name of the macro (no spaces allowed):  I used IPA

Then enter the macro syntax: ip.addr == $1

The $1 is essentially a variable, and you can have multiple variables in complex macros.

Click OK.

Now in a capture, type the following into the display filter: ${IPA:} and apply the filter (replace the address with anything you want):

Screen Shot 2017 06 24 at 6.42.35 PM

OK perfect, - now we know now this works, let's take it a step further (and more useful).

Taking it to the Next Level

Let's say we wanted to find a particular IP address pair.  One option would be the Conversation Filter.  Or we could create a macro based on a more complex filter syntax.  We will have two variables: $1 and $2 for the two addresses.

The normal display filter would look like this: ip.addr== && ip.addr==

So let's create a macro we will call IPAP (for IP Address Pair) and use the syntax replacing the addresses with $1 and $2:

Screen Shot 2017 06 24 at 6.51.11 PM

Now if I want to find a set of packets between an IP address pair, I simply type ${IPAP:;} in the display filter:

Screen Shot 2017 06 24 at 6.54.51 PM

The key here is that a semicolon separates the variables.

By now you have probably also noticed that Display Macros are stored by profile.  So different Profiles can have different profile specific macros.

Using Macros inside Display Filter Expressions

You can also use Display Filter Macros inside expressions.

For example if you defined a macro to be called 'priv24' and then defined the macro syntax to be '', you could in a display filter enter something like:

ip.addr == ${priv24}

The result would be the same as typing 'ip.addr =='

If you are a network admistrator, you can imagine how using this could save a lot of time typing addresses.

Interesting Macro Syntax Variations

Another thing you can do is use the Wireshark Display Macro syntax to perform quick filters on your trace.  For example:

  • ip.addr == ${ip.src} will find all packets that have the same source IP address as the selected packet
  • == ${} will find all packets in the current selected packet tcp stream (assumes you have a valid tcp packet selected)

These are not technically macros, so you would not save them as such, instead you would simply save these as Display filters in your pick list/bookmark list.

Useful Macros 

So let's create a cheat sheet of macros you may find useful and you can add them to your favorite profiles:

Macro Name Purpose Macro Filter Syntax Display Filter Syntax to call the Macro
n/a Find all IP addresses that match the Source IP of current selected packet ip.addr == ${ip.src} n/a
n/a Find all IP addresses that match the Destination IP of current selected packet ip.addr == ${ip.dst} n/a
n/a Find all packets in the TCP stream of the current selected packet == ${} n/a
n/a Find all DNS packets belonging to the selected packet (usually query response pairs) == ${} n/a
TCPConv Filter a particular TCP conversation knowing Source, destination, and TCP Port ((ip.src == $1 and ip.dst == $2 and tcp.srcport == $3 and tcp.dstport == $4) or (ip.src == $2 and ip.dst == $1 and tcp.srcport == $4 and tcp.dstport == $3)) ${TCPConv:;;8080}
ARPrq Find all ARP Requests arp.opcode == 0x0001 ${ARPrq}
ARPrp Find all ARP Responses arp.opcode == 0x0002 $(ARPrp}
DNSrq Find all DNS Requests dns.flags.response == 0 ${DNSrq}
DNSrp Find all DNS Responses dns.flags.response == 1 ${DNSrp}
DNSer Find all DNS Errors dns.flags.rcode != 0 ${DNSer}
ICMPrq Find all ICMPv4 Requests icmp.type == 8 ${ICMPrq}
ICMPrp Find all ICMPv4 Responses icmp.type == 0 ${ICMPrp}
ICMPred Find all ICMPv4 redirects except IP Address w.x.y.z icmp.type == 5 and ip.src != $1 ${ICMPred:w.x.y.z}
SSLhs Find all SSL Handshake packets ssl.record.content_type==22 ${SSLhs}
NoBeacons Wireless: remove all Beacon Frames wlan.fc.subtype != 8 ${NoBeacons}
JustBeacons Wireless: show only Beacon Frames wlan.fc.subtype == 8 ${JustBeacons}
SSIDn Wireless: show only management frames with SSID x where x is the SSID term wlan_mgt.ssid == \x22$1\x22 ${SSIDn:x}
Probes Wireless: show only the probe frames wlan.fc.subtype==4 or wlan.fc.subtype==5 ${Probes}
plcmall IP Telephony - find all PLCM packets eth.addr[0:3] == 00-04-f2 || bootp.hw.mac_addr[0:3] == 00-04-f2 ${plcmall}
plcm IP Telephony - find PLCM for a particular MAC 12-34-56 eth.addr == 00-04-f2-$1 || bootp.hw.mac_addr == 00-04-f2-$1 ${plcm:12-34-56}
issall IP Telephony - find all ISS packets eth.addr[0:3] == 00-26-fd || bootp.hw.mac_addr[0:3] == 00-26-fd ${issall}
iss IP Telephony - find ISS packets for a particular MAC 12-34-56 eth.addr == 0026-fdf0-$1 || bootp.hw.mac_addr == 0026-fdf0-$1 ${iss:1234}


Be sure to check back here often as we will keep adding to the list.  Any you would add?

I hope you find this article and its content helpful.  Comments are welcomed below.  If you would like to see more articles like this, please support us by clicking the patron link where you will receive free bonus access to courses and more, or simply buying us a cup of coffee!, and all comments are welcome! 


Add comment


Did you learn something?
Did I save you time? 

Buy me a coffeeBuy me a coffee!

Find by Tag

5G Networks 6LoWLAN 6LoWPAN 802.11 802.11ah 802.11ax 802.11ay 802.11az ACL Addressing Analysis Ansible Architecture ARP Assessment AToM Backup Bandwidth BGP Bibliography Biography Briefings CBRS CellStream Cellular Central Office Cheat Sheet Chrome Cisco Clock Cloud Computer Consulting CPI Data Center Data Networking Decryption DHCPv4 DHCPv6 Display Filter DNS Documentation ECMP EIGRP Ethernet Flipping the Certification Model Follow Me Fragmentation Git GNS3 Google GQUIC Hands-On History Home Network HTTPS ICMP ICMPv6 IEEE 802.11p IEEE 802.15.4 In A Day Internet IOS Classic IoT IPv4 IPv6 L2 Switch L2VPN L3VPN LDP Learning Services Linux LLN Logging LoL M-BGP MAC MAC OSx Macro Microsoft mininet Monitoring Monitor Mode MPLS Multicast Name Resolution Netflow NetMon netsh Networking Network Science nmap Npcap nslookup Online Learning Online School OpenFlow OSPF OSPFv2 OSPFv3 OSX Parrot Passwords pcap pcap-ng PIM Ping Policy Port Mirror POTS POTS to Pipes PPP Profile Profiles Programming Project Management Python QoS QUIC Requirements RFC RIP Routing RPL RSVP SAS SDN Security Self Certification Service Provider Small Business Smartport SONET Span Port SSH SSL Subnetting T-Shark TCP TCP/IP Telco Telecom 101 Telecommunications Telnet Terminal TLS Tools Traceroute Traffic Analysis Traffic Engineering Training Travel Troubleshooting Tunnel Utility Video Virtualbox Virtualization Voice VoIP VXLAN Webex Wi-Fi Wi-Fi 4 Wi-Fi 5 Wi-Fi 6 Wi-Fi 6/6E Windows Wireless Wireless 5G Wireshark Wireshark Tip WLAN ZigBee Zoom

Twitter Feed