11.8. Display Filter Macros

Display Filter Macros are a mechanism to create shortcuts for complex filters. For example defining a display filter macro named tcp_conv whose text is ( (ip.src == $1 and ip.dst == $2 and tcp.srcport == $3 and tcp.dstport == $4) or (ip.src == $2 and ip.dst == $1 and tcp.srcport == $4 and tcp.dstport == $3) ) would allow to use a display filter like ${tcp_conv:10.1.1.2;10.1.1.3;1200;1400} instead of typing the whole filter.

Display Filter Macros can be managed with a user table, as described in Section 11.7, “User Table”, by selecting AnalyzeDisplay Filter Macros from the menu. The User Table has the following fields:

Name
The name of the macro.
Text
The replacement text for the macro it uses $1, $2, $3, …​ as the input arguments.