11.8. Display Filter Macros

Display Filter Macros are a mechanism to create shortcuts for complex filters. For example, defining a display filter macro named tcp_conv whose text is

(ip.src == $1 and ip.dst == $2 and tcp.srcport == $3 and tcp.dstport == $4)
or (ip.src == $2 and ip.dst == $1 and tcp.srcport == $4 and tcp.dstport == $3)

would allow to use a display filter like

$tcp_conv(10.1.1.2,10.1.1.3,1200,1400)

or alternatively

${tcp_conv:10.1.1.2;10.1.1.3;1200;1400}

or

${tcp_conv;10.1.1.2;10.1.1.3;1200;1400}

instead of typing the whole filter. Both notations are equivalent. Once defined, a macro can be used in saved display (but not capture) filters and filter buttons.

Display Filter Macros can be managed by selecting AnalyzeDisplay Filter Macros from the menu. The table has the following fields:

Macro Name
The name of the macro. The name must consist of ASCII alphanumerics or the '_' character. (Note that the presence of a '.' character would indicate a field reference.)
Macro Expression
The replacement text for the macro it uses $1, $2, $3, …​ as the input arguments.