The Conversation Filter is a powerful tool in Wireshark that lets you focus on all packets between two endpoints. This could be between two IP addresses, MAC addresses, or ports—depending on the type of traffic you’re analyzing. It’s especially useful when analyzing a single connection within a large capture file.
Instead of manually building complex filters, Wireshark can auto-generate them from a packet, allowing you to follow the entire conversation in just a click.
How to Use the Conversation Filter
To apply a conversation filter:
- Select a packet involved in the communication
- Right-click anywhere in the Packet List or Packet Details pane
- Go to:
Conversation Filter → [Choose protocol type]You can choose protocol types such as:
- Ethernet
- IPv4 / IPv6
- TCP / UDP
Wireshark will apply a filter showing only packets between the same two endpoints using that protocol.
Example
If you choose TCP on a packet from a web request, Wireshark may apply:
tcp.stream eq 5
This displays only the packets belonging to that TCP session, making it easier to trace communication flow and troubleshoot issues.