Wireshark is a powerful tool that can be used to troubleshoot network problems, analyze network traffic, and learn about network protocols. It is a valuable tool for network administrators, security professionals, and anyone else who wants to learn more about how networks work.
Below we will know must know Wireshark filters for anyone who into IT:
| Description | Filter | Remarks |
|---|---|---|
| Filter by IP address | ip.addr == x.x.x.x | “x.x.x.x” is IP address you want to filter |
| Filter by IP address range | ip.addr >= x.x.x.x and ip.addr <=y.y.y.y | “x.x.x.x” and “y.y.y.y” are start and end IP address of the range |
| Filter by network interface | interface == eth0 | shows only packet captured on eth0 interface |
| Filter by port | tcp.port == 80 or udp.port == 53 | where “80” and “53” are port number you want to filter. |
| Filter by packet length | frame.len > 100 | shows only packet that are longer then 100 bytes |
| Filter by source and destination MAC address | eth.src == xx:xx:xx:xx:xx:xx or eth.dst == xx:xx:xx:xx:xx:xx | xx:xx:xx:xx:xx:xx is the MAC address you want to filter |
| Filter by HTTP status code | http.response.status_code == 200 | shows packet with HTTPs status code 200 |
| Filter by HTTP method | http.request.method == GET | shows only packet with GET method, you can substitute with POST, PULL, DELETE etc. |
| Filter by HTTP URI | http.request.uri contains 'ictkb.com' | shows only packet that have URI containing “ictkb.com” |
| Filter by HTTP response code | http.response.code == 404 | shows only packet with 404 response code |
| Filter by TCP flags | tcp.flag.syn == 1 | shows packet with SYN flag set. You can substitute with ACK, RST, FIN, URG or PSH. |
| Filter by packet size | frame.len > 1000 | shows only packet larger then 1000 bytes |
| Filter by DNS name | dns.query.name contains 'ictkb.com' | shows only DNS packet that have domain name ‘ictkb.com’. |
| Filter by HTTP cookie | http.cookie contains 'sessionid' | shows only packet that contains cookie with name ‘sessionid’. |
| Filter by TLS handshake type | tls.handshake.type == 1 | shows only packet with TLS handshake type of Client Hello. |
