Wireshark commands
This page contain list of filters used for wireshark
Filters out arp, icmp, stp protocols to reduce background noise
!(arp or icmp or stp)
Captures all IPv6 traffic within the local network that is multicast
dst host ff02::1
Filter MAC Address
eth.addr
Filter MAC Address
eth.dst.eth.src
offset filter for HEX values of 0x01 and 0x80 at the offset location of 0x47
eth[0x47:2] == 01:80
Captures only traffic to or from the MAC address used. Capitalizing hexadecimal letters does not matter. Example: ether host 01:0c:5e:00:53:00
ether host ##:##:##:##:##:##
displays all packets that contain the word ‘traffic’.
frame contains traffic
Capture only traffic to or from a specific IP address. Example: host 192.168.1.1
host #.#.#.#
Capture all traffic, exclude specific packets.
host www.example.com and not (port xx or port yy)
Filter to HTTP Basic Authentication
http.authbasic
Filter to HTTP Cookies
http.cookie
Filter to HTTP data packets
http.data
Filter to HTTP Referer headers
http.referer
Sets a filter for all HTTP GET and POST requests.
http.request
Filter to HTTP Server
http.server
Filter to HTTP User Agent strings
http.user_agent
Filter to HTTP authentication
http.www_authentication
Captures only IPv4 traffic
ip
Capture only IPv6 over IPv4 Tunnelled Traffic
ip proto 41
Shows packets to and from any address in the 10.0.0.0/24 space
ip.addr == 10.0.0.0/24
Sets a filter for any packet with 10.0.0.1, as either the src or dest
ip.addr == 10.0.0.1
sets a conversation filter between the two defined IP addresses
ip.addr==10.0.0.1 && ip.addr==10.0.0.2
Filter IP to destination
ip.dst
Filter IP to source
ip.src
Capures only IPv6 traffic
ip6
Capture IPv6 Native Traffic Only. This will exclude tunnelled IPv6.
ip6 and not ip proto 41
Capture traffic to or from (sources or destinations) a range of IP addresses
net #.#.#.#/24
Capture only Unicast traffic.
not broadcast and not multicast
Captures only a particular src or dst port
port ##
Captures all SIP traffic (VoIP)
port sip
Capture PPPOE traffic
pppoes
Captures only TCP traffic
tcp
searches TCP packets for that string
Capture traffic within a range of ports tcp
```bash
portrange 1800-1880
displays all retransmissions, duplicate acks, zero windows, and more in the trace
tcp.analysis.flags && !tcp.analysis.window_update
Filter Port to TCP destination
tcp.dstport
displays all TCP SYN/ACK packets & shows the connections that had a positive response. Related to this is tcp.flags.syn==1 ```bash tcp.flags == 0x012
sets a filter for any TCP packet with 4000 as src or dest
```bash
tcp.port==4000
Filter port to TCP source
tcp.srcport
sets a filter to display all tcp packets that have a delta time of greater than 250ms
tcp.time_delta > .250
Filter Port to UDP destination
udp.dstport
Filter Port to UDP source
udp.srcport
Captures only VLAN traffic.
vlan
Filter to 802.11 Management Frame
wlan.fc.type eq 0
Filter to 802.11 Control Frame
wlan.fc.type eq 1
Filter to 802.11 Association Requests
wlan.fc.type_subtype eq 0 (1=response)
Filter to 802.11 Authentication Requests
wlan.fc.type_subtype eq 11 (12=authenticate)
Filter to 802.11 Reassociation Requests
wlan.fc.type_subtype eq 2 (3=response)
Filter to 802.11 Probe Requests
wlan.fc.type_subtype eq 4 (5=response)
Filter to 802.11 Beacons
wlan.fc.type_subtype eq 8