Filter Menu

The dfilter_buttons configuration file defines the filters that appear in the Filter Menu component. When enabled via the enableFilterMenu prop, this provides users with one-click access to predefined display filters.

File Location

The dfilter_buttons file can be placed either globally or within individual profile directories:

Default location: /usr/cloudshark/share/wireshark/dfilter_buttons (pre-installed in the Docker container)
Profile location: <profile-directory>/wireshark/dfilter_buttons

When a profile is active and contains a dfilter_buttons file, the profile’s version will be used. Otherwise, the default file is used. You can customize the default location using the --default-filter-menu configuration option.

To deploy or modify an existing profile, please see:

Profiles - Deployment Methods

Format

The dfilter_buttons file uses CSV format with the following structure:

"<TRUE/FALSE>","<NAME>","<DISPLAY FILTER>","<COMMENT>"

<TRUE/FALSE>: Controls if the filter is shown in the menu
<NAME>: Name of the display filter shown in the Filter Menu
<DISPLAY FILTER>: Wireshark Display Filter to apply when clicked on
<COMMENT>: Text to display when hovered over

Lines starting with # are treated as comments and ignored.

Display filters can be organized by using // in the NAME to create nested display filter menus. For example, creating two filters with the titles Transport//TCP and Transport//UDP will group the TCP and UDP filters under the Transport nested menu.

Best Practices

When creating a dfilter_buttons file, the following will help you build a Filter Menu that is organized and easy to use.

Organize Filters

Group related filters under nested filter menus so that they appear together in the menu. Common approaches include grouping them by protocol:

"TRUE","IPv4//Unicast","ip.dst != 224.0.0.0/4 && ip.dst != 255.255.255.255","IPv4 Unicast"
"TRUE","IPv4//Broadcast","ip.dst == 255.255.255.255","IPv4 Broadcast"
"TRUE","IPv4//DHCP","dhcp","DHCP"
"TRUE","IPv6//Global","!ipv6.dst == ff00::/8 && ipv6.dst == 2000::/3","IPv6 Global"
"TRUE","IPv6//Multicast","ipv6.dst == ff00::/8","IPv6 Multicast"

You can also organize filters by a specific workflow or use case such as Troubleshooting//TCP Retransmissions and Troubleshooting//Duplicate ACKs, and another group including Security//Cleartext Passwords and Security//TLS Errors.

Avoid Name Conflicts

A name used as a parent with // nested filters should not also be used as a filter at the same nesting level. If the same name is used, Packet Viewer will display two separate entries in the menu with the same label. One will be a clickable filter and the other will be a menu with the same name.

For example, this would produce two UDP entries:

"TRUE","UDP","udp","UDP"
"TRUE","UDP//QUIC","udp && quic","QUIC"

The first line creates a clickable UDP filter. The second line creates a separate UDP menu containing QUIC. To avoid this, choose unique names:

"TRUE","UDP//All UDP","udp","UDP"
"TRUE","UDP//QUIC","udp && quic","QUIC"

This will create a single UDP folder with All UDP and QUIC clickable filters nested inside it.

Keep Names Short

Filter menu labels are truncated in the Packet Viewer UI. Keep the group and filter names concise so that they display fully in the menu. For example, TCP//Retransmissions is better than TCP//All TCP Retransmission Events Including Spurious. To add additional information about a filter, use the comment field described below instead.

Use Comments

The comment field (fourth column) appears as hover text in the menu. Use it to explain what the filter does or when to use it, especially for complex filter expressions:

"TRUE","TCP//Expert","tcp.analysis.flags","TCP expert info events like retransmissions and window issues"
"TRUE","TCP//Zero Window","tcp.analysis.zero_window","Host advertised a receive window of 0"

Escape Double Quotes

Some display filters require double quotes, such as string matches. Use \x22 to represent a double quote character inside the filter expression:

"TRUE","Vendor//Cisco MACs","eth.addr_resolved ~ \x22Cisco\x22","Match Cisco OUI"
"TRUE","HTTP//User Agent","http.user_agent matches \x22.*curl.*\x22","Requests from curl"

Existing Filters

If you already have display filter buttons configured in a Wireshark profile, you can use that same dfilter_buttons file directly in Packet Viewer.

To find the dfilter_buttons file on your local Wireshark installation, open the About Wireshark dialog and click the Folders tab. Check the Global and Personal configuration folders and the dfilter_buttons file can be found under the profiles/<profile-name>/ directory.

Then copy the file into your profile under the wireshark/ directory and deploy the new profile.

Example

Here is an example dfilter_buttons file:

"TRUE","IPv4//Unicast","ip.dst != 224.0.0.0/4 && ip.dst != 255.255.255.255","IPv4 Unicast"
"TRUE","IPv4//Multicast","ip.dst == 224.0.0.0/4","IPv4 Multicast"
"TRUE","IPv4//Broadcast","ip.dst == 255.255.255.255","IPv4 Broadcast"
"TRUE","IPv4//DHCP","dhcp","DHCP"
"TRUE","IPv6//Global","!ipv6.dst == ff00::/8 && ipv6.dst == 2000::/3","IPv6 Global"
"TRUE","IPv6//Multicast","ipv6.dst == ff00::/8","IPv6 Multicast"
"TRUE","IPv6//Link-Local","ipv6.dst == fe80::/64","IPv6 Link-Local"
"TRUE","IPv6//DHCPv6","dhcpv6","DHCPv6"
"TRUE","Transport//UDP","udp","UDP"
"TRUE","Transport//TCP","tcp","TCP"
"TRUE","Transport//QUIC","quic","QUIC"
"TRUE","Transport//TLS","tls","TLS"
"TRUE","Application//HTTP","http","HTTP"
"TRUE","Application//HTTP/2","http2","HTTP/2"
"TRUE","Application//HTTP/3","http3","HTTP/3"
"TRUE","Application//DNS//All DNS","dns","All DNS Packets"
"TRUE","Application//DNS//Errors","dns.flags.rcode != 0","DNS Errors"

Product

Search Results