Open In App

Steps of Defining And Saving Filter Macros in Wireshark

Improve
Improve
Like Article
Like
Save
Share
Report

Display filter macros are used to create shortcuts for complex display filters. It enables us to quickly display information from a Wireshark capture file. The results of the filter can be saved into a separate text file and can open in any editor of choice. For example, we can create an HTML report or export data into Excel for more complex analysis.

Defining/Saving Filter Macros:

We can define a filter macro in Wireshark and tag it to use later. This saves time in recalling and writing some commonly used and complex display filters every time when we want to use them. For example, we define a display filter macro named test_1 whose text is :

ip.src == $1 and ip.dst == $2 and tcp.srcport == $3 and tcp.dstport == $4

Now instead of typing this whole expression in the display filter box, we can just type :

${test_1:10.0.0.24;10.10.0.2;8888;8830}

To define and save filter macros, follow the steps below:

Step 1: Start the Wireshark by selecting the network we want to analyze or opening any previously saved captured file.

Step 2:  Now go into the Wireshark and click on Analyze → Display Filter Macros menu or toolbar item.

Display Filter Macros

 

This will bring up Wireshark’s “Display Filter Macros” dialogue box.

Display Filter Macros

 

Step 3: To add a new filter macro, click on the “+” button in the bottom-left corner of the dialogue box. A new row will appear in the Display Filter Macros table.

 

Step 4: Now we enter the name of the macro in the Name column and the filter macros in the Text column.

Step 5: Now we click on the OK button in the bottom-right corner to save the macros.

 

The replacement text for the macro uses $1, $2, $3, and $4​ as the input arguments.


Last Updated : 17 Oct, 2022
Like Article
Save Article
Previous
Next
Share your thoughts in the comments
Similar Reads