Wireshark Display Filter Gotcha
One of the most powerful and convenient feature of Wireshark is its display filters.
If you are just getting familiar with Wireshark protocol filters are pretty straight forward, simply type whatever you see under the protocol header and you will see those packets.
Protocol filters are awesome when troubleshooting, baselining, or investigating protocols that go from unicast to broadcast, like DHCP. Another good alternative to protocol filters would be TCP/UDP port filters, but novices may find them intimating right out of the gate.
As you get comfortable with Wireshark, port filters are relatively easy to apply. For example, you can use the Statistics -> Endpoints and click on either TCP or UDP tab. From here, simply right click and Apply as Filter -> Selected and you have a filtered trace.
Here’s the gotcha, when you use a protocol display filter, you will only see packets with that protocol descriptor, like read, close, etc. If you use a port filter you will all the packets. For example, with TCP, the port filter will display the packets with SYN, FIN, RST or just data packets.
This can be an issue if you are using something like Wireshark’s Statistics -> IO Graph. You need to ensure you know what data you are using for your graph. In the video I show an example of using both filters.