|
Check out these great references as well: |
| Our custom profiles repository for Wireshark |
| Our Udemy course on Wireshark |
| Our Udemy course on Wireless Packet capture |
Perhaps….
Wireshark uses a custom syntax to create display filters. There are millions of possibilities, but here is perhaps a top 10 list.
Of course you can edit these with appropriate addresses and numbers. The ones used are just examples.
1. ip.addr == 172.16.1.1 or ip.addr == 172.16.1.0/24
This filters for any packet with 172.16.1.1, as either the source or destination.
You can also use the “not” function to exclude a certain ip address: !(ip.addr==172.16.1.1)
2. ip.addr==172.16.1.1 && ip.addr==172.16.1.2
This creates a conversation filter between the two defined IP addresses.
You could also be more specific with ip.src==172.16.1.1 && ip.dst==172.16.1.2 but realize this would only display 1-way traffic.
3. tcp.flags.reset==1
This filter will find and display all TCP resets.
4. tcp.port==5000
This creates a filter for any TCP packet with 5000 as a source or destination port.
You could also look at a certain tcp port range: tcp.srcport < 1000
5. frame contains cellstream
This filter finds all packets that somewhere in their contain has the string “cellstream”.
Another variant is to look in TCP, but this assumes the TCP content is not encrypted, or has been decrypted: tcp contains test
6. !(arp or icmp or dns)
This filter will mask out arp, icmp, or dns protocols. This is a great way to remove protocols from the view that are not involved with troubleshooting thus allowing you to focus on the traffic that may be the problem.
7. tcp.analysis.retransmission
This filter will display all retransmissions in the trace. This is helpful when tracking down slow application performance and packet loss.
8. icmp or dns
This creates a filter to display all icmp and dns packets in the trace.
You may want to try a certain type of icmp message such as only viewing packets that errored with destination unreachable: icmp.type==3
9. http.request
This filter will find and display all HTTP GET requests.
10. udp contains 03:28:58
This filter will find the HEX values of 0x03 0x28 0x58 at any offset in the packet trace.
Should we have done a top 20? What else would you add?
OK – I cant resist, here are a few more:
11. vlan.id == 7
This filter only displays a certain vlan assuming the packets contain the VLAN ID.
12. dns.resp.name == cellstream.com
Show all DNS responses with cellstream.com in them
13. tls.handshake
Show all packets with the TLS handshake in them
14. frame.len > 1500
Find all packets that are greater than 1500 bytes in length.
15. eth.addr == DE:AD:BE:EF:CA:FE
Find all packets that are to or from the MAC address DE:AD:BE:EF:CA:FE
16. http.host == “www.cellstream.com”
Find all packets that have “www.cellstream.com” in the host header again assuming not encrypted.
17. tcp.analysis.retransmission
Show all suspected TCP packets that have been retransmitted for some reason.
There are a number of “tcp.analysis.*” filters, and if you deal with TCP issues a lot, you will want to use them, like “tcp.analysis.flags”.
Comments are welcomed below from registered users. You can also leave comments at our Discord server.
If you would like to see more content and articles like this, please support us by clicking the patron link where you will receive free bonus access to courses and more, or simply buying us a cup of coffee!