If you ask me what part of wireshark is the most difficult to learn, I would say it is the filter. Do you know how to filter packets belong to specific ip address?
All the above are wrong, even the last one is green in the filter edit box. The correct one is:ip.addr==xx.xx.xx, NOT ip.address==xx.xx.xx.xx, not ip.addr=xx.xx.xx.xx,not ip.addr:xx.xx.xx.xx. You may know other green syntax like ip.dst==xx.xx.xx.xx (not ip.dst.addr==xx.xx.xx.xx)and ip.src==xx.xx.xx.xx(not ip.src.addr==xx.xx.xx.xx), but they are used to filter the packets whose destination ip address/source ip address is the specified one. ip.addr==xx.xx.xx.xx is used to filter those packets whose source ip OR destination ip is the specified one so it gets more results than ip.dst and ip.src.
From this example, we can safely tell that wireshark is indeed an amateur tool. A professional or commercial tool won’t bring its customer into such an awkward situation. Every time I use Wireshark, I must search for the filter usage in google. They are too hard to memorize.