Skip to main content

Wireshark commands

This page contain list of filters used for wireshark

Filters out arp, icmp, stp protocols to reduce background noise

!(arp or icmp or stp)

Captures all IPv6 traffic within the local network that is multicast

dst host ff02::1  

Filter MAC Address


Filter MAC Address


offset filter for HEX values of 0x01 and 0x80 at the offset location of 0x47

eth[0x47:2] == 01:80 

Captures only traffic to or from the MAC address used. Capitalizing hexadecimal letters does not matter. Example: ether host 01:0c:5e:00:53:00

 ether host ##:##:##:##:##:##

displays all packets that contain the word ‘traffic’.

frame contains traffic

Capture only traffic to or from a specific IP address. Example: host

host #.#.#.#

Capture all traffic, exclude specific packets.

host and not (port xx or port yy)

Filter to HTTP Basic Authentication


Filter to HTTP Cookies


Filter to HTTP data packets

Filter to HTTP Referer headers


Sets a filter for all HTTP GET and POST requests.


Filter to HTTP Server


Filter to HTTP User Agent strings


Filter to HTTP authentication


Captures only IPv4 traffic


Capture only IPv6 over IPv4 Tunnelled Traffic

ip proto 41

Shows packets to and from any address in the space

ip.addr ==

Sets a filter for any packet with, as either the src or dest

ip.addr ==

sets a conversation filter between the two defined IP addresses

ip.addr== && ip.addr==

Filter IP to destination


Filter IP to source


Capures only IPv6 traffic


Capture IPv6 Native Traffic Only. This will exclude tunnelled IPv6.

ip6 and not ip proto 41

Capture traffic to or from (sources or destinations) a range of IP addresses

net #.#.#.#/24

Capture only Unicast traffic.

not broadcast and not multicast

Captures only a particular src or dst port

port ##

Captures all SIP traffic (VoIP)

port sip

Capture PPPOE traffic


Captures only TCP traffic


searches TCP packets for that string

Capture traffic within a range of ports tcp 
portrange 1800-1880

displays all retransmissions, duplicate acks, zero windows, and more in the trace

tcp.analysis.flags && !tcp.analysis.window_update

Filter Port to TCP destination


displays all TCP SYN/ACK packets & shows the connections that had a positive response. Related to this is tcp.flags.syn==1 ```bash tcp.flags == 0x012

sets a filter for any TCP packet with 4000 as src or dest   

Filter port to TCP source


sets a filter to display all tcp packets that have a delta time of greater than 250ms

tcp.time_delta > .250

Filter Port to UDP destination


Filter Port to UDP source


Captures only VLAN traffic.


Filter to 802.11 Management Frame

wlan.fc.type eq 0

Filter to 802.11 Control Frame

wlan.fc.type eq 1

Filter to 802.11 Association Requests

wlan.fc.type_subtype eq 0 (1=response)

Filter to 802.11 Authentication Requests

wlan.fc.type_subtype eq 11 (12=authenticate)

Filter to 802.11 Reassociation Requests

wlan.fc.type_subtype eq 2 (3=response)

Filter to 802.11 Probe Requests

wlan.fc.type_subtype eq 4 (5=response)

Filter to 802.11 Beacons

wlan.fc.type_subtype eq 8