search

Search Filters

Wireshark provides a vast array of filters to help us focus on specific types of network traffic. Filters in Wireshark can be categorized into Capture Filters (set before starting the packet capture) and Display Filters (used after capturing packets to filter and display specific packets).

hashtag
1. Capture Filters

Capture filters are applied during packet capture and determine which packets are recorded. These filters use the Berkeley Packet Filter (BPF) syntax.

hashtag
Capture Specific Protocols

  • Capture only HTTP traffic:

    port 80

  • Capture only TCP traffic:

    tcp

  • Capture only UDP traffic:

    udp

  • Capture only ICMP traffic:

    icmp

hashtag
Filter by IP Address

  • Capture packets to or from a specific IP:

    host 192.168.1.1

  • Capture packets from a specific subnet:

    net 192.168.1.0/24

hashtag
Filter by Port

  • Capture traffic on a specific port (e.g., HTTP):

  • Capture traffic on multiple ports:

hashtag
Exclude Traffic

  • Exclude packets to/from a specific host:

  • Exclude traffic on a port:

hashtag
Capture Traffic Between Hosts

hashtag
2. Display Filters

Display filters are used after the packets have been captured to refine what we see. They use Wireshark's own syntax and allow for more advanced filtering options compared to capture filters.

hashtag
Protocol Filters

  • Filter by Protocol:

    • Show only TCP packets:

    • Show only DNS packets:

    • Show only HTTP packets:

    • Show only ARP packets:

hashtag
Filter by IP Address

  • Filter by Source or Destination IP:

    • Source IP:

    • Destination IP:

    • Any packets to/from an IP:

  • Filter by Subnet:

hashtag
Filter by Ports

  • Filter by Specific Port:

    • Source Port:

    • Destination Port:

    • Any packets using a port:

  • Filter by Port Range:

hashtag
TCP-Specific Filters

  • Filter by TCP Flags:

    • SYN packets:

    • ACK packets:

    • Reset packets:

    • FIN packets:

  • Filter by TCP Errors:

    • Retransmissions:

    • Out-of-order packets:

    • Duplicate ACKs:

    • ACK lost segments:

hashtag
HTTP-Specific Filters

  • Filter by HTTP Methods:

    • GET requests:

    • POST requests:

  • Filter by HTTP Response Codes:

    • Errors (4xx and 5xx):

  • Filter by Content Type:

hashtag
DNS-Specific Filters

  • Filter by DNS Query or Response:

    • Show only DNS queries:

    • Show only DNS responses:

  • Filter by DNS Error Responses:

hashtag
ICMP-Specific Filters

  • Filter by ICMP Type:

    • Echo Request:

    • Echo Reply:

  • Filter by ICMP Error Messages:

    • Destination Unreachable:

    • Time Exceeded:

hashtag
TLS/SSL-Specific Filters

  • Filter by Handshake Messages:

    • ClientHello:

    • ServerHello:

  • Filter Encrypted Traffic:

hashtag
Application-Layer Filters

  • Filter by Payload Content:

    • Search for specific text in the payload:

    • Search for JSON with specific keys:

  • Filter for Specific SQL Errors:

hashtag
Error Filters

  • General Error Filters:

  • Warnings:

hashtag
Other Filters

  • Filter by Frame Length:

    • Frames larger than 1000 bytes:

  • Filter by Time:

    • Packets captured after a specific time:

  • Custom Filters: Combine multiple filters using and, or, and not:

PreviousWiresharkNextSonarQube

Last updated