Search Filters
Wireshark provides a vast array of filters to help us focus on specific types of network traffic. Filters in Wireshark can be categorized into Capture Filters (set before starting the packet capture) and Display Filters (used after capturing packets to filter and display specific packets).
1. Capture Filters
Capture filters are applied during packet capture and determine which packets are recorded. These filters use the Berkeley Packet Filter (BPF) syntax.
Capture Specific Protocols
Capture only HTTP traffic:
port 80
Capture only TCP traffic:
tcp
Capture only UDP traffic:
udp
Capture only ICMP traffic:
icmp
Filter by IP Address
Capture packets to or from a specific IP:
host 192.168.1.1
Capture packets from a specific subnet:
net 192.168.1.0/24
Filter by Port
Capture traffic on a specific port (e.g., HTTP):
port 80
Capture traffic on multiple ports:
port 80 or port 443
Exclude Traffic
Exclude packets to/from a specific host:
not host 192.168.1.1
Exclude traffic on a port:
not port 22
Capture Traffic Between Hosts
host 192.168.1.1 and host 192.168.1.2
2. Display Filters
Display filters are used after the packets have been captured to refine what we see. They use Wireshark's own syntax and allow for more advanced filtering options compared to capture filters.
Protocol Filters
Filter by Protocol:
Show only TCP packets:
tcp
Show only DNS packets:
dns
Show only HTTP packets:
http
Show only ARP packets:
arp
Filter by IP Address
Filter by Source or Destination IP:
Source IP:
ip.src == 192.168.1.1
Destination IP:
ip.dst == 192.168.1.2
Any packets to/from an IP:
ip.addr == 192.168.1.1
Filter by Subnet:
ip.addr == 192.168.1.0/24
Filter by Ports
Filter by Specific Port:
Source Port:
tcp.srcport == 80
Destination Port:
tcp.dstport == 443
Any packets using a port:
tcp.port == 80
Filter by Port Range:
tcp.port >= 1000 and tcp.port <= 2000
TCP-Specific Filters
Filter by TCP Flags:
SYN packets:
tcp.flags.syn == 1
ACK packets:
tcp.flags.ack == 1
Reset packets:
tcp.flags.reset == 1
FIN packets:
tcp.flags.fin == 1
Filter by TCP Errors:
Retransmissions:
tcp.analysis.retransmission
Out-of-order packets:
tcp.analysis.out_of_order
Duplicate ACKs:
tcp.analysis.duplicate_ack
ACK lost segments:
tcp.analysis.ack_lost_segment
HTTP-Specific Filters
Filter by HTTP Methods:
GET requests:
http.request.method == "GET"
POST requests:
http.request.method == "POST"
Filter by HTTP Response Codes:
Errors (4xx and 5xx):
http.response.code >= 400
Filter by Content Type:
http.content_type contains "json"
DNS-Specific Filters
Filter by DNS Query or Response:
Show only DNS queries:
dns.flags.response == 0
Show only DNS responses:
dns.flags.response == 1
Filter by DNS Error Responses:
dns.flags.rcode != 0
ICMP-Specific Filters
Filter by ICMP Type:
Echo Request:
icmp.type == 8
Echo Reply:
icmp.type == 0
Filter by ICMP Error Messages:
Destination Unreachable:
icmp.type == 3
Time Exceeded:
icmp.type == 11
TLS/SSL-Specific Filters
Filter by Handshake Messages:
ClientHello:
ssl.handshake.type == 1
ServerHello:
ssl.handshake.type == 2
Filter Encrypted Traffic:
ssl.record.content_type == 23
Application-Layer Filters
Filter by Payload Content:
Search for specific text in the payload:
frame contains "error"
Search for JSON with specific keys:
json.key contains "status"
Filter for Specific SQL Errors:
frame contains "SQLException"
Error Filters
General Error Filters:
_ws.expert.severity == error
Warnings:
_ws.expert.severity == warning
Other Filters
Filter by Frame Length:
Frames larger than 1000 bytes:
frame.len > 1000
Filter by Time:
Packets captured after a specific time:
frame.time >= "2024-12-24 10:00:00"
Custom Filters: Combine multiple filters using
and
,or
, andnot
:ip.addr == 192.168.1.1 and tcp.port == 80
Last updated