Ethereal - Setting a Display Filter

How to make a display filter for Ethereal

Display Filters

Display filters are used to change the view of packets in captured files. As stated above the format for display filters is different from that of the capture filters.

Take a look at Ethereal Setting Capture Filters for a description of how to make and reuse simple capture filters.

Display Filtering by Protocol

The easy way to make a display filter is to type directly in the File box at the bottom of the main Ethereal screen. To filter by protocol type the protocol name.

Note that the string must be in lower case in the filter string format understood by the display filtering system.

For example, type:

arp in the box, press return (or click the Apply button)

and only the Address Resolution Protocol packets will be displayed.

Similarly type:

tcp press return (or click the Apply button)

and only Transmission Control Protocol packets will be displayed.

Filtering by IP Address

Type the IP Address directly in the File box at the bottom of the main Ethereal screen. For example:

ip.addr == 10.0.0.4

will display only packets to or from that IP Address.

Filtering by multiple IP Addresses

A series of boolean expressions can be used to match addresses and so on. To display traffic for more than one IP Address, specify the addresses. For example:

ip.addr == 10.0.0.4 or ip.addr == 10.0.0.5

will display packets to and from both specified IP Addresses.

Making a New Display Filter

You can build display filters and reuse them at any time. My experience is that the procedure is a little arcane and the format confusing due to the differences between the capture filters and the display filters. However if you follow the steps below you will begin to understand how filtering works.

Step 1 Click Edit, Display Filters.

The Edit Display Filters List dialog appears.

Step 2 In the box marked Filter name type the name of the new filter you want to make.

For this example type ARP Traffic

Step 3 Click the Add Expression button.

The Filter Expression dialog appears. This allows you to select protocols and parts of protocols to help you build complex filters.

Note: that you can type the string directly into the Filter string box if you know what you want. To begin with it is usually easier to select from the Add Expression options.

Step 4 Click the + beside AARP.

This opens a list of further options.

Step 5 Click on Protocol type,==,then click on ARP

This sets the filter to look for, aarp.proto.type == ARP, that is, protocol type 0806, Address Resolution Protocol.

Step 6 Click Accept.

You can see that a large number of additional options are available and that much more complex filters can be set.

Step 7 Click New.

This adds the new filter to the list.

Step 8 Click Close.

Copying an existing Filter

Copying an existing filter is easy. Simply click on the existing name and press the Copy button. A file named Copy of... is made.

Editing the Filter Name

Step 1 Edit the text in the Filter Name box.

Step 2 Click the Change button.

The name changes to the new one in the Filter Name box.

Editing the Filter String

Step 1 Click the Add Expression button, select the changes required, or Edit the text directly in the Filter string box.

Step 2 Click the Change button.

The string changes to the new one in the Filter string box.
Note: that the string must be in lower case in the filter string format understood by the display filtering system.

Colorizing the Display

To make packets stand out using colors see Ethereal Display Filters-Colorizing

---

About Us | Privacy Policy | Terms & Conditions | Site Map | Blog | Contact us | Customer Testimonials
CHAT WITH US | CALL US: 0800 612 1357 | EMAIL US: sales@openxtra.co.uk
Copyright © 2003-2008 OPENXTRA Limited All Rights Reserved. OPENXTRA Limited, Building Society Chambers, Wesley Street, Otley, LS21 1AZ.
Company registration number: 4641663. VAT No: GB808975581. WEEE Registration: WEE/EK0053TQ