Skip to content

Wireshark

Wireshark

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. 

Wireshark Capturing Modes

Wireshark Capturing Modes
Promiscuous modeSets interface to capture all packets on a network segment to which it is associated to
Monitor modesetup the Wireless interface to capture all traffic it can receive (Unix/Linux only)

Filter Types

Filter Types
Capture filterFilter packets during capture
Display FilterHide Packets from a capture display

Capture Filter Syntax

Capture filter Syntax
SyntaxprotocoldirectionhostsvalueLogical operatorExpressions
Exampletcpsrc192.168.1.180andtcp dst 202.164.30.1

Display Filter Syntax

Display Filter Syntax
SyntaxprotocolString 1String 2Comparison Operatorvaluelogical operatorExpressions
Examplehttpdestip==192.168.1.1andtcp port

Protocols – Values

Protocols – Values
ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp and udp

Filtering packets (Display Filters)

Filtering packets (Display Filters)
OperatorDescriptionExample
eq or ==Equalip.dest == 192.168.1.1
ne or !=Not Equalip.dest != 192.168.1.1
gt or >Greater thanframe.len > 10
lt or <Less thanframe.len <10
ge or >=Greater than or Equalframe.len >= 10
le or <=Less than or Equalframe.len<=10

Miscellaneous Items

Miscellaneous
Slice Operator[…] – Range of values
Membership Operator{} – In
CTRL+E –Start/Stop Capturing

Logical Operators

Logical Operators
OperatorDescriptionExample
and or &&Logical ANDAll the conditions should match
or or ||Logical OREither all or one of the condition should match
xor or ^^Logical XORexclusive alternation – Only one of the two conditions should match not both
not or !NOT(Negation)Not equal to
[n] […]Substring operatorFilter a specific word or text

Default columns in a packet capture output

Default columns in a packet capture output
No.Frame number from the beginning of the packet capture
TimeSeconds from the first frame
Source (src)Source address, commonly an IPv4, IPv6 or Ethernet address
Destination (dst)Destination address
ProtocolProtocol used in the Ethernet frame, IP packet, or TCP segment
LengthLength of the frame in bytes

Keyboard Shortcuts

Keyboard Shortcuts – main display window
AcceleratorDescriptionAcceleratorDescription
Tab or Shift+TabMove between screen elements, e.g. from the toolbars to the packet list to the packet detail.Alt+→ or Option+→Move to the next packet in the selection history.
Move to the next packet or detail item.In the packet detail, opens the selected tree item.
Move to the previous packet or detail item.Shift+→In the packet detail, opens the selected tree item and all of its subtrees.
Ctrl+ ↓ or F8Move to the next packet, even if the packet list isn’t focused.Ctrl+→In the packet detail, opens all tree items.
Ctrl+ ↑ or F7Move to the previous packet, even if the packet list isn’t focused.Ctrl+←In the packet detail, closes all tree items.
Ctrl+.Move to the next packet of the conversation (TCP, UDP or IP).BackspaceIn the packet detail, jumps to the parent node.
Ctrl+,Move to the previous packet of the conversation (TCP, UDP or IP).Return or EnterIn the packet detail, toggles the selected tree item.

Common Filtering Commands

UsageFilter syntax
Wireshark Filter by IPip.addr == 10.10.50.1
Filter by Destination IPip.dest == 10.10.50.1
Filter by Source IPip.src == 10.10.50.1
Filter by IP rangeip.addr >= 10.10.50.1 and ip.addr <= 10.10.50.100
Filter by Multiple Ipsip.addr == 10.10.50.1 and ip.addr == 10.10.50.100
Filter out/ Exclude IP address!(ip.addr == 10.10.50.1)
Filter IP subnetip.addr == 10.10.50.1/24
Filter by multiple specified IP subnetsip.addr == 10.10.50.1/24 and ip.addr == 10.10.51.1/24
Filter by Protocoldnshttpftpssharptelneticmp
Filter by port (TCP)tcp.port == 25
Filter by destination port (TCP)tcp.dstport == 23
Filter by ip address and portip.addr == 10.10.50.1 and Tcp.port == 25
Filter by URLhttp.host == “host name”
Filter by time stampframe.time >= “June 02, 2019 18:04:00”
Filter SYN flagtcp.flags.syn == 1 tcp.flags.syn == 1 and tcp.flags.ack == 0
Wireshark Beacon Filterwlan.fc.type_subtype = 0x08
Wireshark broadcast filtereth.dst == ff:ff:ff:ff:ff:ff
WiresharkMulticast filter(eth.dst[0] & 1)
Host name filterip.host = hostname
MAC address filtereth.addr == 00:70:f4:23:18:c4
RST flag filtertcp.flags.reset == 1