Capture and Display Filters 

Gearbit uses capture and displays filter syntax throughout its products. They provide quick and easy ways to filter by reducing to the desired view and content. 

Capture Filters

Gearbit Wireshark How to Install

Also, you will find instructions on how to install this file within Wireshark so they show up under Wireshark>Capture>Capture Filters.

Capture Filters & Packet Headers (pdf)

Expression and examples of capture filters used with TCPDump, Wireshark, Tshark and dumpcap.​

Two new cheat sheets today! The first covers tcpdump CLI arguments and capture filters. The second provides a quick reference for some of the more common Wireshark display filters.​

A wonderful guide to Wireshark capture filters examples

Wireshark users guide gives instructions and helpful capture filter tips.​

Mike Horn give an excellent a primer for designing capture filters for Ethereal/Wireshark 

More Filters

In this section you will find Display

Display Filters

Wireshark’s most powerful feature is its vast array of display filters (over 96000 as of version 1.2.2). They let you drill down to the exact traffic you want to see and are the basis of many of Wireshark’s other features, such as the coloring rules.​

Wireshark Users Guide “Building display filters expressions.” Here you will find information on display filter fields, comparing​

Wiki provides a “How To” examples and gotchas​


This page contains a set of sample coloring rules that people have shared with the Wireshark community. You can learn more about coloring rules and packet colorization in the User’s Guide.​

As both coloring rules and display filters share the same syntax, you might have a look at the DisplayFilters page.​

The coloring rules were previously called color filters and a file named colorfilters is still used to store them, as a result you will often see both terms used the same way.​

Loading and Saving Rule Sets

To use one of the coloring rules files listed here, download it to your local machine, select View→Coloring Rules in Wireshark, and click the Import… button.​

If you’d like to add an entry to this page you can export a rule set by clicking on the Export… button in the Coloring Rules dialog. (It helps if you save the file with a “.txt” extension.) To upload the exported file, click on the AttachFilelink on the left. If you wish to include a screen shot, please create a separate page for your filter and put the screen shot and filter on that page. A WikiSandBox is available if you want to practice attaching files.​

Coloring Rules

In this section, you will find great examples of how to turn on color to highlight events and packet detail.

Sample Coloring Rules​

Contributor: Ronnie Sahlberg​

Description: Sample color filter file.​

Contributor: Gerald Combs​

Description: More Protocols color filtered for general use.​

Contributor: John Prudente​

Description: Another general purpose filter. Includes highlighting of home style routers (D-Link, Netgear & Linksys); AppleTalk & IPX/SPX protocols; OSPF, STP & HRSP events. Useful for the corporate LAN. **Modified after stealing ideas from some of the other submissions.​

Contributor: Peter Bruno​

Updated: 7/17/06​

Description: General use coloring rules. Easy on the eyes colors.​

Contributor: JayMoran

Description: Example emphasized on detecting errors and coloring client/server. It doesn’t highlight particular protocols (as I usually filter interesting one). Edit Your MAC address before import (‘from my PC’ and ‘to my PC’ rules)
Thanks to Peter Bruno for some rules.​

Contributor: Arv

Description: Highlights SCSI check conditions in red and highlights iSCSI packets with no associated commands or no associated responses in purple. Note: logins and logouts do not have responses so they are also purple.

Contributor: proggoddess

File: DCE_RPC_Coloring_Rules.txt

Description: Coloring of DCE/RPC and related protocols and grouping various windows network based protocols.

Contributor: UlfLamping

Description: Coloring of Wireless Authentication Packets for 802.11, WPA, and 11i protocols. Supports Preauth as well.

Contributor: perccapt​

Tech Articals

Here you will find tech articles related to packet analysis.

Slow response time, slow connecting to the network, and slow telnet sessions to the switch.

Slow response time, slow connecting to the network, and slow telnet sessions to the switch.

ProfiTap contacted 12 network analysts and had them put their ProfiShark product through its paces. Then the analysts wrote about their specific experiences, feedback and general thoughts.

Finding Latency presentation by Ray Tompkins Sharkfest, Wireshark users conference.