Quick Reference

Comprehensive quick reference for Wireshark - the world's most popular network protocol analyzer for traffic capture and analysis.

🔍 Basic Display Filters

Filter by IP addressip.addr == 192.168.1.1
Source IP onlyip.src == 192.168.1.1
Destination IP onlyip.dst == 192.168.1.1
Filter by porttcp.port == 80
Source port onlytcp.srcport == 443
Destination port onlytcp.dstport == 22
Filter by protocolhttp or dns or tcp
Exclude protocol!arp or not arp
IP subnetip.addr == 192.168.1.0/24

📡 Protocol Filters

HTTP traffichttp
HTTPS/TLS traffictls or ssl
DNS queriesdns
DHCP trafficdhcp or bootp
ARP trafficarp
ICMP (ping)icmp
SMB trafficsmb or smb2
FTP trafficftp or ftp-data
SSH trafficssh
Telnet traffictelnet

🌐 HTTP Analysis

HTTP requestshttp.request
HTTP responseshttp.response
GET requestshttp.request.method == "GET"
POST requestshttp.request.method == "POST"
Specific URIhttp.request.uri contains "login"
Response code 200http.response.code == 200
Response code 404http.response.code == 404
Server errors (5xx)http.response.code >= 500
Specific hosthttp.host == "example.com"
User-Agent filterhttp.user_agent contains "Mozilla"

🔗 TCP Analysis

TCP SYN packetstcp.flags.syn == 1
TCP SYN-ACKtcp.flags.syn == 1 and tcp.flags.ack == 1
TCP RST packetstcp.flags.reset == 1
TCP FIN packetstcp.flags.fin == 1
TCP retransmissionstcp.analysis.retransmission
TCP duplicate ACKstcp.analysis.duplicate_ack
TCP window zerotcp.window_size == 0
TCP streamtcp.stream == 5
TCP problemstcp.analysis.flags

🔤 DNS Analysis

DNS queriesdns.flags.response == 0
DNS responsesdns.flags.response == 1
Specific domaindns.qry.name contains "example"
A record queriesdns.qry.type == 1
AAAA record queriesdns.qry.type == 28
MX record queriesdns.qry.type == 15
TXT record queriesdns.qry.type == 16
NXDOMAIN responsesdns.flags.rcode == 3
DNS over TCPdns and tcp

🔀 Logical Operators

AND operatorip.src == 10.0.0.1 and tcp.port == 80
OR operatortcp.port == 80 or tcp.port == 443
NOT operatornot arp or !arp
Parentheses grouping(ip.src == 10.0.0.1) and (tcp or udp)
Contains stringhttp.host contains "google"
Matches regexhttp.host matches ".*\.google\.com"
In rangetcp.port in {80 443 8080}
Greater thanframe.len > 1000
Less thantcp.window_size < 1000

📶 Wireless (802.11)

All 802.11 trafficwlan
Beacon frameswlan.fc.type_subtype == 0x08
Probe requestswlan.fc.type_subtype == 0x04
Probe responseswlan.fc.type_subtype == 0x05
Authenticationwlan.fc.type_subtype == 0x0b
Deauthenticationwlan.fc.type_subtype == 0x0c
Specific BSSIDwlan.bssid == aa:bb:cc:dd:ee:ff
Specific SSIDwlan.ssid == "NetworkName"
EAPOL (4-way handshake)eapol

⚠️ Security Analysis

Cleartext passwords (FTP)ftp.request.command == "PASS"
Cleartext passwords (HTTP)http.request.method == "POST"
Telnet traffictelnet
Possible port scantcp.flags.syn == 1 and tcp.flags.ack == 0
ARP spoofingarp.duplicate-address-detected
ICMP redirecticmp.type == 5
Suspicious DNS (long names)dns.qry.name.len > 50
SMB null sessionssmb.uid == 0
TLS handshaketls.handshake

⌨️ Essential Keyboard Shortcuts

Capture

Start captureCtrl+E
Stop captureCtrl+E
Restart captureCtrl+R
Capture optionsCtrl+K

File Operations

Open fileCtrl+O
Save asCtrl+Shift+S
Close fileCtrl+W
PrintCtrl+P

Navigation

Go to packetCtrl+G
Find packetCtrl+F
Next packetCtrl+Down
Previous packetCtrl+Up

Analysis

Follow TCP streamCtrl+Alt+Shift+T
Follow HTTP streamCtrl+Alt+Shift+H
Apply display filterEnter
Clear display filterCtrl+/

Marking

Mark/Unmark packetCtrl+M
Next markedShift+Ctrl+N
Previous markedShift+Ctrl+B
Ignore packetCtrl+D

View

Zoom inCtrl++
Zoom outCtrl+-
Reset zoomCtrl+0
Time display toggleCtrl+T

💻 tshark CLI Commands

List Interfaces

tshark -D

Show all available capture interfaces

Capture on Interface

tshark -i eth0 -w capture.pcap

Capture traffic on eth0 and save to file

Read Capture File

tshark -r capture.pcap

Read and display packets from file

Apply Display Filter

tshark -r capture.pcap -Y "http.request"

Filter packets using display filter

Extract Specific Fields

tshark -r capture.pcap -T fields -e ip.src -e ip.dst

Extract source and destination IPs

Capture with BPF Filter

tshark -i eth0 -f "port 80" -w http.pcap

Capture only port 80 traffic

Statistics - Conversations

tshark -r capture.pcap -q -z conv,tcp

Show TCP conversation statistics

Protocol Hierarchy

tshark -r capture.pcap -q -z io,phs

Show protocol hierarchy statistics

🎯 Capture Filters (BPF Syntax)

Capture filters use Berkeley Packet Filter (BPF) syntax and are applied during capture to reduce file size.

host 192.168.1.1 Traffic to/from specific host
net 192.168.1.0/24 Traffic to/from subnet
port 80 Traffic on port 80
tcp port 443 TCP traffic on port 443
src host 10.0.0.1 Traffic from specific source
dst port 22 Traffic to destination port 22
not arp Exclude ARP traffic
tcp and port 80 or port 443 TCP web traffic only
ether host aa:bb:cc:dd:ee:ff Traffic by MAC address
icmp ICMP traffic only

🔬 Common Analysis Tasks

Follow TCP Stream

Right-click packet → Follow → TCP Stream

Reconstructs entire TCP conversation

Export HTTP Objects

File → Export Objects → HTTP

Extract files transferred over HTTP

View Endpoints

Statistics → Endpoints

List all IPs and their traffic volume

View Conversations

Statistics → Conversations

Show all communication pairs

Protocol Hierarchy

Statistics → Protocol Hierarchy

View protocol distribution in capture

I/O Graph

Statistics → I/O Graph

Visualize traffic over time

Expert Information

Analyze → Expert Information

Find anomalies and errors in capture

Decrypt TLS

Edit → Preferences → Protocols → TLS → RSA keys list

Decrypt HTTPS with private key or SSLKEYLOGFILE

Related Topics

All Cheatsheets

Active Discovery

Network Reconnaissance