What is the difference between a Wireshark capture filter and a display filter?

A capture filter (BPF syntax) is applied while packets are being captured - everything it filters out is permanently discarded. A display filter is applied after capture and only hides packets from view; you can change it freely without re-capturing. For live troubleshooting, capture broadly and use display filters to narrow down.

How do I find a device by MAC address in Wireshark?

Use the display filter: eth.addr == aa:bb:cc:dd:ee:ff. This matches both source and destination. To find the IP that MAC is using, filter for arp.src.hw_mac == aa:bb:cc:dd:ee:ff and look at the arp.src.proto_ipv4 field. The tool above generates both filters for you.

Why is Dante audio traffic hard to filter in Wireshark?

Dante uses multiple protocols across many UDP ports - discovery on 4321, control on 4440-4455, audio media on 4444+, plus PTP for clock sync. The tool generates a combined filter for Dante discovery and audio flows. Make sure you mirror the correct VLAN and that IGMP snooping is configured if you're missing flows.

Does this tool send my MAC or IP addresses anywhere?

No. The tool runs entirely in your browser. Nothing you type is sent to a server - the OUI lookup uses a bundled dictionary, and filter generation is local JavaScript.

🦈 Wireshark Filter Generator

All-in-one filter builder for AV/UC network troubleshooting. Pick what you're chasing — finding a device by MAC, tracing Dante audio, debugging multicast — get a copy-paste Wireshark display filter plus a tshark capture command. Includes OUI vendor lookup, subnet calculator, and a port/protocol cheat sheet.

100% browser-local. Nothing you type leaves your machine.

⚠ Disclaimer This tool is provided as-is, for educational and planning purposes only. Capture filters should only be used on networks you are authorised to inspect. The Tech Space makes no warranty and accepts no liability for any loss arising from use. Full disclaimer →

🔒 This tool runs entirely in your browser. MAC and IP values you enter are not sent to any server.

What are you troubleshooting?

🏷 MAC vendor (OUI) lookup

Paste a MAC address — we'll tell you the vendor from the first 3 octets. Built-in dictionary covers common AV/UC manufacturers.

MAC address

Vendor

—

🧮 Subnet calculator

Enter a CIDR (e.g. 192.168.10.0/24) — get the range, mask, broadcast, and a Wireshark filter for the subnet.

Network (CIDR)

Subnet details

—

📋 Quick reference — AV/UC ports & protocols

Dante (Audinate)

Port	Use
4321 UDP	Discovery (mDNS)
4440-4459 UDP	Audio media
4455 UDP	Control
319/320 UDP	PTP clock sync

Q-SYS (QSC)

Port	Use
1710 TCP	Core control (QRC)
2467 TCP	QSC Snapshot
319/320 UDP	PTP
RTP dyn UDP	Q-LAN audio

SIP / VoIP

Port	Use
5060 UDP/TCP	SIP signalling
5061 TCP	SIP over TLS
16384-32767 UDP	RTP media
3478/5349	STUN / TURN

Microsoft Teams Rooms

Port	Use
443 TCP	Signalling (HTTPS)
3478-3481 UDP	STUN / TURN
50000-50019 UDP	Media (client)
52.112.0.0/14	Teams media range

Cisco Webex Rooms

Port	Use
443 TCP	Signalling
5004 UDP	Media (preferred)
9000 UDP	Media (fallback)
33434 UDP	Network reachability

Crestron NVX / Control

Port	Use
41794 UDP	Crestron CIP
41796 UDP	CIP secure
5004/5005 UDP	NVX RTP/RTCP
1024 TCP	Telnet (legacy)

Discovery protocols

Protocol	Display filter
mDNS / Bonjour	mdns
SSDP / UPnP	ssdp
LLDP	lldp
CDP (Cisco)	cdp
ARP	arp

NDI (NewTek)

Port	Use
5353 UDP	mDNS discovery
5959-6989 TCP	NDI streams
5960 TCP	NDI Discovery Server

Common questions

Quick clarifications for the most-asked Wireshark questions in an AV/UC context.

What's the difference between capture and display filters?

Capture filter (BPF syntax, used with tshark -f or Wireshark's pre-capture filter): applied while packets are captured — discarded packets are gone forever. Display filter (Wireshark's main syntax): applied to packets already captured, hides them from view but they're still in the trace. Rule of thumb: capture broadly, narrow with display filters.

How do I find a device by MAC address?

Use the Find device by MAC scenario above. It generates eth.addr == aa:bb:cc:dd:ee:ff (matches both directions). To learn the IP that MAC is using, switch to MAC → IP discovery which looks at ARP replies.

Why is Dante audio traffic hard to filter?

Dante uses multiple ports: 4321 UDP for discovery (mDNS), 4440-4459 UDP for audio media, 4455 UDP for control, and PTP (319/320 UDP) for clock sync. The Dante audio scenario above generates a combined filter. Also ensure: SPAN port mirrors the right VLAN, IGMP snooping is configured correctly if Dante multicast flows are missing.

Does this tool send my MAC/IP addresses anywhere?

No. Everything runs in your browser. The OUI lookup uses a bundled dictionary, filter generation is local JavaScript, and no network requests are made when you enter values.

I'm trying to capture but getting nothing — what's wrong?

Most common causes: (1) your capture interface isn't in promiscuous mode (Wireshark only sees its own traffic); (2) you're plugged into an access port instead of a SPAN/mirror port, so you only see broadcast/multicast; (3) the VLAN isn't on the mirror; (4) for IP multicast, your switch is doing IGMP snooping and your capture interface didn't join the group. Walk through these before debugging the filter syntax.

Stuck on a stubborn issue?

If the filter isn't telling you what you need to know, sometimes a second pair of eyes does. Send us a brief or get in touch.

Start a UC/AV Brief →