This wiki has been migrated to and is now deprecated. Please use that site instead.

Display Filter Macros

Macros allow you to save on typing complex filter expressions.

Lets's say we have a macro named tcp_ses defined as "(ip.addr eq $1 and ip.addr eq $2) and (tcp.port eq $3 and tcp.port eq $4)". Entering "$tcp_ses{,, 1234, 4567} " would be equivalent to entering "(ip.addr eq and ip.addr eq and (tcp.port eq 1234 and tcp.port eq 4567)" into the display filter box.

Macros are resolved when the filter is entered, before it is compiled.

Spaces in the macro expression in the filter will be expanded into the filter.

/!\ If there is a syntax error caused by the use of a macro the error will not refer to the macro but to the expanded text.


( (ip.src == $1 and ip.dst == $2 and tcp.srcport == $3 and tcp.dstport == $4) or (ip.src == $2 and ip.dst == $1 and tcp.srcport == $4 and tcp.dstport == $3) )

ip.addr == ${net10} becomes ip.addr == == "${dot_org:www.wireshark}"  becomes == ""  but be aware that == "${dot_org: www.wireshark }"  becomes == " www.wireshark .org"  which is probably not what you want.

Display Filter Macros of currently selected packet fields


Select a packet then apply display filter:

The filtered view will be all packets with a value equal to the of the selected packet. Similar to Follow->TCP Stream (which sets display filter eq "some value") without the popup window.

History of the feature:

Code commit:;a=commit;h=9865b6346f6442bc8326cde55e5f012250748131

As per Ulf's request add ${proto.field} macros that will use the value of the given field has in the last selected packet.

Two places to update in User's Guide:

Chapter 11. Customizing Wireshark 11.8. Display Filter Macros

Chapter 6. Working With Captured Packets 6.7. Defining And Saving Filter Macros

DFilterMacro (last edited 2020-05-20 02:55:47 by ChuckCraft)