6.6. Defining And Saving Filters

You create pre-defined filters that appear in the capture and display filter bookmark menus (filter toolbar bookmark). This can save time in remembering and retyping some of the more complex filters you use.

To create or edit capture filters, select Manage Capture Filters from the capture filter bookmark menu or CaptureCapture Filters…​ from the main menu. Display filters can be created or edited by selecting Manage Display Filters from the display filter bookmark menu or AnalyzeDisplay Filters…​ from the main menu. Wireshark will open the corresponding dialog as shown in Figure 6.10, “The “Capture Filters” and “Display Filters” dialog boxes”. The two dialogs look and work similar to one another. Both are described here, and the differences are noted as needed.

Figure 6.10. The “Capture Filters” and “Display Filters” dialog boxes

ws filters

+

Adds a new filter to the list. You can edit the filter name or expression by double-clicking on it.

The filter name is used in this dialog to identify the filter for your convenience and is not used elsewhere. You can create multiple filters with the same name, but this is not very useful.

When typing in a filter string, the background color will change depending on the validity of the filter similar to the main capture and display filter toolbars.

-
Delete the selected filter. This will be greyed out if no filter is selected.
Copy
Copy the selected filter. This will be greyed out if no filter is selected.
OK
Saves the filter settings and closes the dialog.
Cancel
Closes the dialog without saving any changes.