Search Filters

Wireshark provides a vast array of filters to help us focus on specific types of network traffic. Filters in Wireshark can be categorized into Capture Filters (set before starting the packet capture) and Display Filters (used after capturing packets to filter and display specific packets).

1. Capture Filters

Capture filters are applied during packet capture and determine which packets are recorded. These filters use the Berkeley Packet Filter (BPF) syntax.

Capture Specific Protocols

  • Capture only HTTP traffic:

    port 80
  • Capture only TCP traffic:

    tcp
  • Capture only UDP traffic:

    udp
  • Capture only ICMP traffic:

    icmp

Filter by IP Address

  • Capture packets to or from a specific IP:

    host 192.168.1.1
  • Capture packets from a specific subnet:

    net 192.168.1.0/24

Filter by Port

  • Capture traffic on a specific port (e.g., HTTP):

    port 80
  • Capture traffic on multiple ports:

    port 80 or port 443

Exclude Traffic

  • Exclude packets to/from a specific host:

    not host 192.168.1.1
  • Exclude traffic on a port:

    not port 22

Capture Traffic Between Hosts

host 192.168.1.1 and host 192.168.1.2

2. Display Filters

Display filters are used after the packets have been captured to refine what we see. They use Wireshark's own syntax and allow for more advanced filtering options compared to capture filters.

Protocol Filters

  • Filter by Protocol:

    • Show only TCP packets:

      tcp
    • Show only DNS packets:

      dns
    • Show only HTTP packets:

      http
    • Show only ARP packets:

      arp

Filter by IP Address

  • Filter by Source or Destination IP:

    • Source IP:

      ip.src == 192.168.1.1
    • Destination IP:

      ip.dst == 192.168.1.2
    • Any packets to/from an IP:

      ip.addr == 192.168.1.1
  • Filter by Subnet:

    ip.addr == 192.168.1.0/24

Filter by Ports

  • Filter by Specific Port:

    • Source Port:

      tcp.srcport == 80
    • Destination Port:

      tcp.dstport == 443
    • Any packets using a port:

      tcp.port == 80
  • Filter by Port Range:

    tcp.port >= 1000 and tcp.port <= 2000

TCP-Specific Filters

  • Filter by TCP Flags:

    • SYN packets:

      tcp.flags.syn == 1
    • ACK packets:

      tcp.flags.ack == 1
    • Reset packets:

      tcp.flags.reset == 1
    • FIN packets:

      tcp.flags.fin == 1
  • Filter by TCP Errors:

    • Retransmissions:

      tcp.analysis.retransmission
    • Out-of-order packets:

      tcp.analysis.out_of_order
    • Duplicate ACKs:

      tcp.analysis.duplicate_ack
    • ACK lost segments:

      tcp.analysis.ack_lost_segment

HTTP-Specific Filters

  • Filter by HTTP Methods:

    • GET requests:

      http.request.method == "GET"
    • POST requests:

      http.request.method == "POST"
  • Filter by HTTP Response Codes:

    • Errors (4xx and 5xx):

      http.response.code >= 400
  • Filter by Content Type:

    http.content_type contains "json"

DNS-Specific Filters

  • Filter by DNS Query or Response:

    • Show only DNS queries:

      dns.flags.response == 0
    • Show only DNS responses:

      dns.flags.response == 1
  • Filter by DNS Error Responses:

    dns.flags.rcode != 0

ICMP-Specific Filters

  • Filter by ICMP Type:

    • Echo Request:

      icmp.type == 8
    • Echo Reply:

      icmp.type == 0
  • Filter by ICMP Error Messages:

    • Destination Unreachable:

      icmp.type == 3
    • Time Exceeded:

      icmp.type == 11

TLS/SSL-Specific Filters

  • Filter by Handshake Messages:

    • ClientHello:

      ssl.handshake.type == 1
    • ServerHello:

      ssl.handshake.type == 2
  • Filter Encrypted Traffic:

    ssl.record.content_type == 23

Application-Layer Filters

  • Filter by Payload Content:

    • Search for specific text in the payload:

      frame contains "error"
    • Search for JSON with specific keys:

      json.key contains "status"
  • Filter for Specific SQL Errors:

    frame contains "SQLException"

Error Filters

  • General Error Filters:

    _ws.expert.severity == error
  • Warnings:

    _ws.expert.severity == warning

Other Filters

  • Filter by Frame Length:

    • Frames larger than 1000 bytes:

      frame.len > 1000
  • Filter by Time:

    • Packets captured after a specific time:

      frame.time >= "2024-12-24 10:00:00"
  • Custom Filters: Combine multiple filters using and, or, and not:

    ip.addr == 192.168.1.1 and tcp.port == 80

Last updated