One of my favorite features in Wireshark is the ability to click and drag a field from the Packet List pane or Packet Details pane up quickly create a filter based on that field value.
Prior to Wireshark 4, you may have noticed that you couldn't create a display filter by clicking and dragging on some columns in the Packet List pane (such as the Protocol column or Info column).
Try it! Click and drag an item in the Protocol column up to the Display Filter area. You will notice a strange filter starting with "_ws.col.protocol". That's new.
This is a nice improvement, but be forewarned - using column names as a filter is going to be slower than other filter types. Wireshark needs to build the columns first and then filter on it.
In our example above, the display filter mdns will be faster than our _ws.col.protocol == "MDNS" filter.
In the case of a display filter based on the Info column, however, this full column filter is really nice. I don't have to build a long filter to find packets that have the same Info column details in them.
Type _ws.col. in the Display Filter area. The background will be red because this is not a valid display filter. That's ok. I want to show you the drop down list showing the various columns that can be created this way.
You know I love my columns! This feature makes me love them even more (if possible).
Enjoy!