Skip to main content

Wireshark's Filter Button Groups

Wireshark FBG's

I live to filter Wireshark pcaps. Now don’t get me wrong, I love to look at packets. However, my goal is to only look at the necessary ones, not all 27 million of them. When I am looking at a TCP issues for example, that means a lot of different filters. 

Notice the small filter input box. Click to enlarge.

Filter Button Groups Make Their Debut at SharkFest 2020 Virtual

New Filter Button Menus made their official debut at SharkFest 2020 Virtual when Roland Knall demonstrated them during Gerald Combs’ keynote. Chuck Craft had reminded me about them yesterday when I was teaching a pre-conference class on profiles. I had forgotten about Bug 16498 where this feature was first discussed (as far as I can tell). When Chuck mentioned it in class, I remembered reading the bug comments but did not realize how fabulous this was going to be. 

My trouble is that I have so many filters, they have taken up most of the room on the filter bar. I only have a small filter input box left. When I type in my filters, I have to scroll back and forth to see the whole filter. If I have a syntax error, that scrolling is a challenge. I usually copy the whole thing, and paste it into Atom to see it all at once. Then it’s easier to find where I messed up on the syntax. Not exactly an elegant solution, but it works.

All That Has Changed

No more copy | paste to Atom | fix syntax | copy to Wireshark for me. Now I can group my filters into a menu, giving me more space in the Display Filter Input Box.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                

How Does It Work?

It’s all in the slash, two slashes in fact. If you want to make a group, add groupname// to the front of the filter name in Preferences | Appearance | Filter Buttons. You can even nest them! Under the Handshake group, I have another group for Unexpected Handshake Options.

I feel like a kid in a candy store. Now I have plenty of space to see my filter input box AND have all my filter buttons. Today was a beauty day in Bettyland.

There will be a new post soon describing everything in my TCP profile. Meanwhile, I just couldn’t wait to tell you about the new feature in 3.4. You might be thinking, hey I’m using 3.2.7 and it doesn’t do that. How do I get 3.4? It’s not even released yet. All you have to do is use the latest build from the latest builds until 3.4 is released on the downloads page. Gerald said in his keynote that the new release would be within weeks.  

It's a packet party just waiting to happen.

Written by Betty DuBois