Wireshark Filters for Analysts
Below are some of the most commonly used Wireshark display filters for packet analysis. Use these in the Wireshark filter bar to refine and analyze network traffic effectively.
| # | Filter Type | Filter Syntax | Description |
|---|---|---|---|
| 1 | IP address | ip.addr == x.x.x.x |
Filter packets with the specified IP address. |
| 2 | IP address range | ip.addr >= x.x.x.x and ip.addr <= y.y.y.y |
Filter packets within a specified IP address range. |
| 3 | Network interface | interface == eth0 |
Show only packets captured on the eth0 interface. |
| 4 | Port | tcp.port == 80udp.port == 53 |
Filter packets by TCP or UDP port. |
| 5 | Packet length | frame.len > 100 |
Show packets larger than 100 bytes. |
| 6 | MAC address | eth.src == xx:xx:xx:xx:xx:xxeth.dst == xx:xx:xx:xx:xx:xx |
Filter packets by source or destination MAC address. |
| 7 | HTTP status code | http.response.status_code == 200 |
Show packets with HTTP status code 200 (OK). |
| 8 | HTTP method | http.request.method == GET |
Filter HTTP requests by method (GET, POST, etc.). |
| 9 | HTTP URI | http.request.uri contains 'example.com' |
Filter packets containing a specific URI. |
| 10 | HTTP response code | http.response.code == 404 |
Filter packets with 404 Not Found response code. |
| 11 | HTTP cookie | http.cookie contains 'sessionid' |
Filter packets that contain a specific cookie name. |
| 12 | TCP flags | tcp.flags.syn == 1 |
Filter packets with SYN flag set (start of TCP handshake). |
| 13 | Packet size | frame.len > 1000 |
Show packets larger than 1000 bytes. |
| 14 | DNS domain name | dns.qry.name contains 'example.com' |
Filter DNS queries containing a specific domain. |
| 15 | TLS handshake type | tls.handshake.type == 1 |
Show only TLS ClientHello packets. |
Resource
Refer to the below resource for a complete Wireshark cheat sheet with all commands, filters, and syntax:
Link: Wireshark Cheat Sheet - StationX
Source: Respective owners
Support me: If you'd like to support me, buy me a cup of Coffee ☕
0 Comments