Ask Your Question

Display filter activation change in Wireshark 4.2.0?

asked 2023-11-27 15:53:22 +0000

Sharkee12 gravatar image

updated 2023-11-29 00:36:31 +0000

cmaynard gravatar image

previously used: ip.src== || ip.dst== to see only traffic to/from my machine

now in ws 4.2.0 that no longer works, seeing all traffic

edit retag flag offensive close merge delete


Version 4.2.0 (v4.2.0-0-g54eedfc63953)

filter: ip.src== || ip.dst==

when I start typing the filter "ip=...." a dropdown list of previously entered / bookmarked filters appears.

when I choose the one we were discussing, nothing changes. all packets are still displayed - no filtering.

however, I discovered that if I edit that bookmarked filter by erasing the any characters (say, an OR bar, or the last '2') and re-enter it, the filter then works as it should. the same if I type in the complete filter anew.

my suspicion is that the bookmarked filters from previous WS versions installed are somehow incompatible with this new version.

Sharkee12 gravatar imageSharkee12 ( 2023-11-28 04:03:50 +0000 )edit

2 Answers

Sort by » oldest newest most voted

answered 2023-11-28 13:45:02 +0000

Jim Young gravatar image

It appears that we have to press the ENTER key twice after choosing an entry from the dropdown list in order to have it applied. Following your steps, after we start typing and then click on one of the entries from the drop down list, the [X] control is added to the text entry field and the [->] control color changes to indicate it can be clicked. The fact that the [->] control is now clickable implies that currently entered display filter has NOT been applied. Pressing ENTER once in my test causes the status bar to update, but it does not actually apply the display filter. Pressing ENTER a second time causes the filter to be applied and the [->] control changes color to indicate is no longer selectable.

edit flag offensive delete link more


Yes, and that's been the same behavior long before the release of 4.2.0.

cmaynard gravatar imagecmaynard ( 2023-11-28 14:54:02 +0000 )edit

I uninstalled version 4.2.0 and re-installed the previous version I was using from August 2023, version 4.0.8. That is not the behavior exhibited - only one ENTER keypress is needed.

Sharkee12 gravatar imageSharkee12 ( 2023-11-28 18:52:56 +0000 )edit

I also tried with 4.0.8 and my experience was that ENTER was required twice, which matches Jim's description.

cmaynard gravatar imagecmaynard ( 2023-11-28 19:43:03 +0000 )edit

RTFM (reading the fine manual, version 4.3.0) I so far only see a reference in section 6.3 which states "Don’t forget to press enter or click on the apply display filter button after entering the filter expression."

Anyone have a manual reference that says "ENTER twice"?

Sharkee12 gravatar imageSharkee12 ( 2023-11-28 20:30:46 +0000 )edit

But there is a difference between entering the filter expression, as in typing it, and selecting it from the drop-down list. If you're entering the display filter, then you only need to press ENTER once, but if you're selecting the display filter from the list, then you'll need to press ENTER twice, once to choose it and once to apply it.

cmaynard gravatar imagecmaynard ( 2023-11-28 21:28:31 +0000 )edit

answered 2023-11-27 16:07:17 +0000

hugo.vanderkooij gravatar image

How about using ip.addr == as a filter? That is what I use for a good number of years.

edit flag offensive delete link more


Thanks Hugo!

Sharkee12 gravatar imageSharkee12 ( 2023-11-27 16:33:46 +0000 )edit

I don't think this really answers the question. While the ip.addr == filter is essentially equivalent to ip.src== || ip.dst==, the fact remains that ip.src== || ip.dst== should still work, so if it doesn't, then something is wrong.

cmaynard gravatar imagecmaynard ( 2023-11-27 21:10:52 +0000 )edit

so, what should be done?

Sharkee12 gravatar imageSharkee12 ( 2023-11-27 21:29:13 +0000 )edit

Functionally, the 2 filters should behave the same. If they don't, a Wireshark bug report should be filed so that someone can verify the incorrect behavior and hopefully correct it and include that fix in the next Wireshark release.

cmaynard gravatar imagecmaynard ( 2023-11-27 22:25:37 +0000 )edit

i tried. it tried to make me log in again, but claims my credentials are invalid. tried 3 times. they must not care.

Sharkee12 gravatar imageSharkee12 ( 2023-11-27 22:36:50 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2023-11-27 15:53:22 +0000

Seen: 295 times

Last updated: Nov 29 '23