Filtering on error packets with Wireshark

If you want to filter on the packets that Wireshark has captured so that you only see packets with errors, you can use the filter expert.severity== error.



Wireshark expert.severity error

For the packet selected in the example above, there is a frame check sequence error at the Ethernet level.

If you don't want to see error packets, you can put the word "not" in front of that filter. E.g., supposing I wanted to see all packets from/to the IP address 192.0.73.2, but not any error packets, I could use the filter ip.addr==192.0.73.2 and not expert.severity==error.

Wireshark in 60 minutes
Wireshark in 60 minutes
1x1px



Work More Efficiently With Wireshark
Work More Efficiently
With Wireshark
1x1 px

Wireshark not expert.severity 
error

The above examples are from Wireshark 1.10.14 running on a Linux system. If you are using Wireshark 1.12 or later, you may need to use _ws.expert.severity == error for the filter, instead - see Only shown problematic packets in WireShark. The expert.severity version is not a vaid filter for Wireshark 2.2.5 on my MacBook Pro laptop running OS X, but the _ws.expert.severity version works.

Related articles:

  1. Capturing and filtering data with Wireshark
  2. Installing Wireshark under CentOS
  3. Installing Wireshark on Mac OS X El Capitan
  4. Filtering by HTTP Method in Wireshark
  5. Filtering on error packets with Wireshark