My Wireshark Display Filters Cheat Sheet

Wireshark takes so much information when taking a packet capture that it can be difficult to find the information needed. Fortunately, wireshark has display filters so that we can search for specific traffic or filter out unwanted traffic, so that our task becomes easier.

The filtering capabilities are very powerful and complex, there are so many fields, operators and options and their combination becomes overwhelming. Bellow is a list of the most common type of filtering.

Filter by IP address: displays all traffic from IP, be it source or destination

ip.addr == 192.168.1.1

Filter by source address: display traffic only from IP source

ip.src == 192.168.0.1

Filter by destination: display traffic only form IP destination

ip.dst == 192.168.0.1

Filter by IP subnet: display traffic from subnet, be it source or destination

ip.addr = 192.168.0.1/24

Filter by protocol: filter traffic by protocol name

dns

http

ftp

arp

ssh

telnet

icmp

Exclude IP address: remove traffic from and to IP address

!ip.addr ==192.168.0.1

Display traffic between two specific subnet

ip.addr == 192.168.0.1/24 and ip.addr == 192.168.1.1/24

Display traffic between two specific workstations

ip.addr == 192.168.0.1 and ip.addr == 192.168.0.2

Filter by MAC

eth.addr = 00:50:7f:c5:b6:78

Filter TCP port

tcp.port == 80

Filter TCP port source

tcp.srcport == 80

Filter TCP port destination

tcp.dstport == 80

Find user agents

http.user_agent contains Firefox

!http.user_agent contains || !http.user_agent contains Chrome

Filter broadcast traffic

!(arp or icmp or dns)

Filter IP address and port

tcp.port == 80 && ip.addr == 192.168.0.1

Filter all http get requests

http.request

Filter all http get requests and responses

http.request or http.response

Filter three way handshake

tcp.flags.syn==1 or (tcp.seq==1 and tcp.ack==1 and tcp.len==0 and tcp.analysis.initial_rtt)

Find files by type

frame contains “(attachment|tar|exe|zip|pdf)”

Find traffic based on keyword

tcp contains facebook

frame contains facebook

Detecting SYN Floods

tcp.flags.syn == 1 and tcp.flags.ack == 0