My Wireshark Display Filters Cheat Sheet
Wireshark takes so much information when taking a packet capture that it can be difficult to find the information needed. Fortunately, wireshark has display filters so that we can search for specific traffic or filter out unwanted traffic, so that our task becomes easier.
The filtering capabilities are very powerful and complex, there are so many fields, operators and options and their combination becomes overwhelming. Bellow is a list of the most common type of filtering.
Filter by IP address: displays all traffic from IP, be it source or destination
ip.addr == 192.168.1.1
Filter by source address: display traffic only from IP source
ip.src == 192.168.0.1
Filter by destination: display traffic only form IP destination
ip.dst == 192.168.0.1
Filter by IP subnet: display traffic from subnet, be it source or destination
ip.addr = 192.168.0.1/24
Filter by protocol: filter traffic by protocol name
dns
http
ftp
arp
ssh
telnet
icmp
Exclude IP address: remove traffic from and to IP address
!ip.addr ==192.168.0.1
Display traffic between two specific subnet
ip.addr == 192.168.0.1/24 and ip.addr == 192.168.1.1/24
Display traffic between two specific workstations
ip.addr == 192.168.0.1 and ip.addr == 192.168.0.2
Filter by MAC
eth.addr = 00:50:7f:c5:b6:78
Filter TCP port
tcp.port == 80
Filter TCP port source
tcp.srcport == 80
Filter TCP port destination
tcp.dstport == 80
Find user agents
http.user_agent contains Firefox
!http.user_agent contains || !http.user_agent contains Chrome
Filter broadcast traffic
!(arp or icmp or dns)
Filter IP address and port
tcp.port == 80 && ip.addr == 192.168.0.1
Filter all http get requests
http.request
Filter all http get requests and responses
http.request or http.response
Filter three way handshake
tcp.flags.syn==1 or (tcp.seq==1 and tcp.ack==1 and tcp.len==0 and tcp.analysis.initial_rtt)
Find files by type
frame contains “(attachment|tar|exe|zip|pdf)”
Find traffic based on keyword
tcp contains facebook
frame contains facebook
Detecting SYN Floods
tcp.flags.syn == 1 and tcp.flags.ack == 0