A structured overview of Wireshark’s most important capture filters, display filters, and shortcuts for effective network analysis.
(Applied before capturing – limits what traffic is recorded. Based on BPF syntax like tcpdump.)
| Command(s) | Explanation |
|---|---|
host 192.168.1.10 |
Capture only traffic to/from a specific host. |
net 192.168.1.0/24 |
Capture all traffic on a subnet. |
port 80 |
Capture only traffic on port 80 (HTTP). |
src host 192.168.1.10 |
Capture only traffic from a specific source. |
dst host 192.168.1.20 |
Capture only traffic to a specific destination. |
tcp |
Capture only TCP traffic. |
udp |
Capture only UDP traffic. |
icmp |
Capture only ICMP packets (ping). |
tcp port 443 |
Capture HTTPS traffic only. |
src net 10.0.0.0/8 |
Capture traffic originating from a network. |
(Applied after capturing – refines what you see in Wireshark’s GUI. Based on Wireshark’s display filter language.)
| Filter | Explanation |
|---|---|
ip.addr == 192.168.1.10 |
Show packets where source or destination IP is 192.168.1.10. |
ip.src == 192.168.1.10 |
Show packets from a specific source IP. |
ip.dst == 192.168.1.20 |
Show packets going to a specific destination. |
tcp.port == 80 |
Show packets on port 80 (HTTP). |
tcp.flags.syn == 1 |
Show only SYN packets (useful for detecting scans). |
tcp.flags.reset == 1 |
Show only TCP reset packets. |
http |
Show all HTTP packets. |
http.request.method == "GET" |
Show only HTTP GET requests. |
dns |
Show all DNS traffic. |
dns.qry.name == "example.com" |
Show DNS queries for a specific domain. |
icmp |
Show only ICMP packets. |
frame contains "password" |
Show packets containing the keyword “password.” |
(Core GUI functions and shortcuts for analysis)
| Feature / Shortcut | Explanation |
|---|---|
Ctrl + E |
Start/Stop capture. |
Ctrl + K |
Edit preferences. |
Ctrl + F |
Find packet by string/hex/field. |
Ctrl + G |
Go to a specific packet number. |
Ctrl + Shift + F |
Apply display filter quickly. |
Ctrl + H |
Hide/show packet bytes pane. |
| Right-click → “Follow → TCP Stream” | Reconstructs entire TCP session (e.g., HTTP, FTP, Telnet). |
| Statistics → Protocol Hierarchy | Shows breakdown of protocols in capture. |
| Statistics → Conversations | Shows communication pairs (IP-to-IP or Port-to-Port). |
| Statistics → Endpoints | Lists all IP addresses seen in capture. |
| Analyze → Expert Information | Highlights warnings, errors, retransmissions. |
(Filters useful for detecting suspicious traffic)
| Filter | Explanation |
|---|---|
tcp.flags.syn == 1 and tcp.flags.ack == 0 |
Detect SYN scans (half-open scans). |
tcp.flags.fin == 1 and tcp.flags.ack == 0 |
Detect FIN scans (stealth scans). |
icmp.type == 8 |
Detect ICMP echo requests (pings). |
http contains "User-Agent" |
Inspect User-Agent strings in HTTP requests. |
ftp |
Show FTP traffic (possible credentials in cleartext). |
telnet |
Show Telnet traffic (insecure, cleartext). |
ssl.handshake / tls.handshake |
Show TLS/SSL handshake packets. |
frame.len > 1000 |
Show only packets larger than 1000 bytes. |
(Save and analyze captures outside Wireshark)
| Option | Explanation |
|---|---|
| File → Save As | Save captured packets in .pcapng format. |
| File → Export Specified Packets | Export selected packets. |
| File → Export Objects → HTTP | Extract downloaded HTTP files. |
| File → Export Objects → SMB | Extract SMB shared files. |
| File → Export Objects → FTP | Extract transferred FTP files. |