Wireshark: Top 17 Display Filters

Wireshark is a network protocol analyzer. Capture and Display filters are available in the tool. Here is the Wireshark top 17 display filters list, which I have used mostly by analyzing network traffic.

Wireshark: Top 17 Display Filters

1. Display traffic to and from 192.168.65.129

ip.addr == 192.168.65.129

2. Display tcp and dns packets both

tcp or dns

3. Display traffic with source or destination port as 443

tcp.port == 443

4. tcp.analysis.flags

5. display all protocols other than arp, icmp and dns

!(arp or icmp or dns)

6. Show traffic which contains google

tcp contains google

7. Display HTTP response code of 200 in network traffic

http.response.code == 200

8. Display HTTP request

http.request

9. Displaying all TCP connections with SYN packets

tcp.flags.syn

10. Show only SMTP (port 25) and ICMP traffic:

 tcp.port eq 25 or icmp

11. Show only traffic in the LAN (192.168.x.x), between workstations and servers -- no Internet:

ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16

12. TCP buffer full -- The source is instructing the Destination to stop sending data

 tcp.window_size == 0 && tcp.flags.reset != 1

13. Filter on Windows -- Filter out noise, while watching Windows Client - DC exchanges

 smb || nbns || dcerpc || nbss || dns

14. Pass any traffic except

! ( ip.addr == 192.168.65.129 )
which is equivalent to
 ! (ip.src == 192.168.65.129 or ip.dst == 192.168.65.129)

This translates to "pass any traffic except with a source IPv4 address of 192.168.65.129 or a destination IPv4 address of 192.168.65.129"

15. Match Multiple protocols

Some filter fields match against multiple protocol fields. For example, "ip.addr" matches against both the IP source and destination addresses in the IP header. The same is true for "tcp.port", "udp.port", "eth.addr", and others. It's important to note that
ip.addr == 192.168.0.100
is equivalent to
ip.src == 192.168.0.100 or ip.dst == 192.168.0.100

 16. Filter out any traffic to or from 10.43.54.65

ip.addr != 192.168.0.100
which is equivalent to
ip.src != 192.168.0.100 or ip.dst != 192.168.0.100

17. Pass all traffic except

This translates to "pass all traffic except for traffic with a source IPv4 address of 10.43.54.65 and a destination IPv4 address of 10.43.54.65", which isn't what we wanted.  ! ( ip.addr == 10.43.54.65 )
which is equivalent to
! (ip.src == 10.43.54.65 or ip.dst == 10.43.54.65)

This translates to "pass any traffic except with a source IPv4 address of 10.43.54.65 or a destination IPv4 address of 10.43.54.65".

Subscribe us to receive more such articles updates in your email.

If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!

Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

10 Blockchain Security Vulnerabilities OWASP API Top 10 - 2023 7 Facts You Should Know About WormGPT OWASP Top 10 for Large Language Models (LLMs) Applications Top 10 Blockchain Security Issues