Creating Quick Filter Buttons
By Phill “Sherlock” Shade
When I am asked to describe what I like about Wireshark, I often mention the incredible power of Wireshark’s filter functions, both capture and display. Within a given pcap, it is latterly possible, using display filters, to filter down to a specific bit if required. A handy feature within the filtering functions is also a list of previously used filters, making it easy to retrace your steps when investigating a file.
However, often overlooked within the Wireshark display is a tiny “+” symbol all the way to the far-right of the display filter bar. “So, what is the function you ask?” Well it’s my favorite “Trick” for display filtering – the ability to make permanent “Quick Filter” buttons allowing for simple 1-click display filtering!
- Launch Wireshark and Load the pcap File; and then use a display filter to achieve the desired results in the “Packet List”:
- Choose and Enter a Name for the Quick Filter in the “Label” box as shown, then click “OK”:
- Your new “Quick Filter” is now available adjacent to the “Display Filter” bar:
(Note – The process is the same for each button you desire to create. Don’t worry about making too many as they will simply extend the list off the bottom of the display.)
- To Modify / Edit, Add or Delete “Quick Filter Buttons”, either Select “Edit -> Preferences -> Filter Buttons or “Right Click” on the Filter Button in the Display:
(Note – As with most modifications a user can make within Wireshark, these are stored within the specific profiles, but can be moved as described earlier)
I hope that you found this information useful! This technique and many others are covered in our class:
“TCP/IP Analysis and Troubleshooting with Wireshark“. For additional information on this class and our numerous other offerings, please see our website:
https://www.cybersecurityinstitute.eu/ and look under the Courses Menu.