Using Display Filters with CloudShark

The CloudShark display screen contains a text box for Wireshark style display filters. By default, no display filter is set and all packets in your capture file are displayed. However, you can specify a display filter to limit the packets that are displayed.

Display filters are handy in many situations. Let’s say you only want to display packet frame number 8. You can enter frame.number==8 in the display filter box and hit the Apply button. CloudShark will filter your results an only display frame 8.

Display Filter Box

Another common filter is to look for a specific IPv4 or IPv6 address. Let’s say you only want to see IPv4 traffic involving 192.168.1.1. You can enter ip.addr==192.168.1.1 in the display filter box. Of course, to see all the packets again, just hit the Clear button next to Apply. For an IPv6 example, try entering ipv6.addr==3001:51a:cafe::1.

There are a few good online resources that provide an introduction to display filters and also detail the many possibilities. There are over 70k different display filters available across the various protocols supported!

Here are some links to get started:

Wireshark User Guide: Building Display Filter Expressions
Wireshark Wiki: Display Filters
Display Filter Reference

You can also specify display filters when you create a URL to an existing CloudShark decode session. This makes it easy to point someone to a specific packet in a decode session. The filter is passed by using including a  filter parameter in the URL.

For example, lets say you uploaded a capture file and want technical support to look at packet number 18 in the capture file. You might send this link via email:

http://www.cloudshark.org/captures/277f57f4ec56?filter=frame.number==18

Here is another example using the /view URL which allows you to specify the URL and filter parameters.

http://www.cloudshark.org/view?url=http://packetlife.net/captures/TCP_SACK.cap&filter=frame.number==8

One import side note: Wireshark’s capture filters and display filters are not the same. Capture filters are libpcap expressions used when actually capturing packets. The syntax of capture filters is different than display filters. Display filters have many more protocol options.

Give it a try!