Display Filter Macros are a mechanism to create shortcuts for complex filters. You can define a filter macro with Wireshark and label it for later use. This can save time in remembering and retyping some of the more complex filters you use.
To define and save your own filter macros, follow the steps below:
-
In the main menu select → . Wireshark will open a corresponding dialog Figure 6.11, “Display Filter Macros window”.
- To add a new filter macro, click the button in the bottom-left corner. A new row will appear in the Display Filter Macros table above.
-
Enter the name of your macro in the
Macro Namecolumn. Enter your filter macro in theMacro Expressioncolumn. - To save your modifications, click the button in the bottom-right corner of the Figure 6.11, “Display Filter Macros window”.
Display filter macros are invoked with the macro name and a number of input arguments. There are several supported syntaxes.
The Macro Name must consist of ASCII alphanumerics or the '_' character.
(Note that the presence of a '.' character would indicate a
field reference.)
The Macro Expression is replacement text for the macro name. It substitutes
$1, $2, $3, … with the input arguments.
For example, defining a display filter macro named tcp_conv whose text is
(ip.src == $1 and ip.dst == $2 and tcp.srcport == $3 and tcp.dstport == $4) or (ip.src == $2 and ip.dst == $1 and tcp.srcport == $4 and tcp.dstport == $3)
would allow to use a display filter like
$tcp_conv(10.1.1.2,10.1.1.3,1200,1400)
or alternatively
${tcp_conv:10.1.1.2;10.1.1.3;1200;1400}
or
${tcp_conv;10.1.1.2;10.1.1.3;1200;1400}
instead of typing the whole filter. Both notations are equivalent. Once defined, a macro can be used in saved display (but not capture) filters and filter buttons.