Wireshark: Top 17 Display Filters
Wireshark is a network protocol analyzer. Capture and Display filters are available in the tool. Here is the Wireshark top 17 display filters list, which I have used mostly by analyzing network traffic.
- Wireshark: Top 17 Display Filters
- 1. Display traffic to and from 192.168.65.129
- 2. Display tcp and dns packets both
- 3. Display traffic with source or destination port as 443
- 4. tcp.analysis.flags
- 5. display all protocols other than arp, icmp and dns
- 6. Show traffic which contains google
- 7. Display HTTP response code of 200 in network traffic
- 8. Display HTTP request
- 9. Displaying all TCP connections with SYN packets
- 10. Show only SMTP (port 25) and ICMP traffic:
- 11. Show only traffic in the LAN (192.168.x.x), between workstations and servers -- no Internet:
- 12. TCP buffer full -- The source is instructing the Destination to stop sending data
- 13. Filter on Windows -- Filter out noise, while watching Windows Client - DC exchanges
- 14. Pass any traffic except
- 15. Match Multiple protocols
- 16. Filter out any traffic to or from 10.43.54.65
- 17. Pass all traffic except
Wireshark: Top 17 Display Filters
1. Display traffic to and from 192.168.65.129
ip.addr ==
192.168.65.129
2. Display tcp and dns packets both
tcp or dns
3. Display traffic with source or destination port as 443
tcp.port ==
443
4. tcp.analysis.flags
5. display all protocols other than arp, icmp and dns
!(arp or icmp or dns)
6. Show traffic which contains google
tcp contains google
7. Display HTTP response code of 200 in network traffic
http.response.code ==
200
8. Display HTTP request
http.request
9. Displaying all TCP connections with SYN packets
tcp.flags.syn
10. Show only SMTP (port 25) and ICMP traffic:
tcp.port eq 25 or icmp
11. Show only traffic in the LAN (192.168.x.x), between workstations and servers --
no Internet:
ip.src==
192.168.0.0/16 and ip.dst==
192.168.0.0/16
12. TCP buffer full --
The source is instructing the Destination to stop sending data
tcp.window_size ==
0 && tcp.flags.reset != 1
13. Filter on Windows --
Filter out noise, while watching Windows Client - DC exchanges
smb || nbns || dcerpc || nbss || dns
14. Pass any traffic except
! ( ip.addr == 192.168.65.129 )
which is equivalent to
! (ip.src == 192.168.65.129 or ip.dst == 192.168.65.129)
This translates to "pass any traffic except with a source IPv4 address of 192.168.65.129 or a destination IPv4 address of 192.168.65.129"
15. Match Multiple protocols
Some filter fields match against multiple protocol fields. For example, "ip.addr" matches against both the IP source and destination addresses in the IP header. The same is true for "tcp.port", "udp.port", "eth.addr", and others. It's important to note that
ip.addr == 192.168.0.100
is equivalent to
ip.src == 192.168.0.100 or ip.dst == 192.168.0.100
16. Filter out any traffic to or from 10.43.54.65
ip.addr != 192.168.0.100
which is equivalent to
ip.src != 192.168.0.100 or ip.dst != 192.168.0.100
17. Pass all traffic except
This translates to "pass all traffic except for traffic with a source IPv4 address of 10.43.54.65 and a destination IPv4 address of 10.43.54.65", which isn't what we wanted. ! ( ip.addr == 10.43.54.65 )
which is equivalent to
! (ip.src == 10.43.54.65 or ip.dst == 10.43.54.65)
This translates to "pass any traffic except with a source IPv4 address of 10.43.54.65 or a destination IPv4 address of 10.43.54.65".
Subscribe us to receive more such articles updates in your email.
If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!
Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.