Skip to main content

Wireshark commands

This page contain list of filters used for wireshark

Filters out arp, icmp, stp protocols to reduce background noise

!(arp or icmp or stp)

Captures all IPv6 traffic within the local network that is multicast

dst host ff02::1

Filter MAC Address

eth.addr

Filter MAC Address

eth.dst.eth.src

offset filter for HEX values of 0x01 and 0x80 at the offset location of 0x47

eth[0x47:2] == 01:80

Captures only traffic to or from the MAC address used. Capitalizing hexadecimal letters does not matter. Example: ether host 01:0c:5e:00:53:00

 ether host ##:##:##:##:##:##

displays all packets that contain the word ‘traffic’.

frame contains traffic

Capture only traffic to or from a specific IP address. Example: host 192.168.1.1

host #.#.#.#

Capture all traffic, exclude specific packets.

host www.example.com and not (port xx or port yy)

Filter to HTTP Basic Authentication

http.authbasic

Filter to HTTP Cookies

http.cookie

Filter to HTTP data packets

http.data

Filter to HTTP Referer headers

http.referer

Sets a filter for all HTTP GET and POST requests.

http.request

Filter to HTTP Server

http.server

Filter to HTTP User Agent strings

http.user_agent

Filter to HTTP authentication

http.www_authentication

Captures only IPv4 traffic

ip

Capture only IPv6 over IPv4 Tunnelled Traffic

ip proto 41

Shows packets to and from any address in the 10.0.0.0/24 space

ip.addr == 10.0.0.0/24

Sets a filter for any packet with 10.0.0.1, as either the src or dest

ip.addr == 10.0.0.1

sets a conversation filter between the two defined IP addresses

ip.addr==10.0.0.1 && ip.addr==10.0.0.2

Filter IP to destination

ip.dst

Filter IP to source

ip.src

Capures only IPv6 traffic

ip6

Capture IPv6 Native Traffic Only. This will exclude tunnelled IPv6.

ip6 and not ip proto 41

Capture traffic to or from (sources or destinations) a range of IP addresses

net #.#.#.#/24

Capture only Unicast traffic.

not broadcast and not multicast

Captures only a particular src or dst port

port ##

Captures all SIP traffic (VoIP)

port sip

Capture PPPOE traffic

pppoes

Captures only TCP traffic

tcp

searches TCP packets for that string

Capture traffic within a range of ports	tcp 
```bash
portrange 1800-1880

displays all retransmissions, duplicate acks, zero windows, and more in the trace

tcp.analysis.flags && !tcp.analysis.window_update

Filter Port to TCP destination

tcp.dstport

displays all TCP SYN/ACK packets & shows the connections that had a positive response. Related to this is tcp.flags.syn==1 ```bash tcp.flags == 0x012

sets a filter for any TCP packet with 4000 as src or dest	
```bash
tcp.port==4000

Filter port to TCP source

tcp.srcport

sets a filter to display all tcp packets that have a delta time of greater than 250ms

tcp.time_delta > .250

Filter Port to UDP destination

udp.dstport

Filter Port to UDP source

udp.srcport

Captures only VLAN traffic.

vlan

Filter to 802.11 Management Frame

wlan.fc.type eq 0

Filter to 802.11 Control Frame

wlan.fc.type eq 1

Filter to 802.11 Association Requests

wlan.fc.type_subtype eq 0 (1=response)

Filter to 802.11 Authentication Requests

wlan.fc.type_subtype eq 11 (12=authenticate)

Filter to 802.11 Reassociation Requests

wlan.fc.type_subtype eq 2 (3=response)

Filter to 802.11 Probe Requests

wlan.fc.type_subtype eq 4 (5=response)

Filter to 802.11 Beacons

wlan.fc.type_subtype eq 8