Wireshark is arguably the most popular and powerful tool you can use to capture, analyze and troubleshoot network traffic. The only downside you will face when using a tool as verbose as Wireshark is memorizing all of the commands, flags, filters, and syntax. That’s where we come in.
Whether you are a network administrator, a security professional, or just someone curious about how networks work, learning to use Wireshark is a valuable skill. This Wireshark cheat sheet will provide a solid foundation and reference for using Wireshark to monitor and analyze your network traffic.
Default Columns In a Packet Capture Output
| Name | Description |
|---|---|
| No. | Frame number from the beginning of the packet capture |
| Time | Seconds from the first frame |
| Source (src) | Source address, commonly an IPv4, IPv6 or Ethernet address |
| Destination (dst) | Destination address |
| Protocol | Protocol used in the Ethernet frame, IP packet, or TC segment |
| Length | Length of the frame in bytes |
Logical Operators
| Operator | Description | Example |
|---|---|---|
| and or && | Logical AND | All the conditions should match |
| or or || | Logical OR | Either all or one of the conditions should match |
| xor or ^^ | Logical XOR | Exclusive alterations - only one of the two conditions should match not both |
| not or ! | Not (Negation) | Not equal to |
| [ n ] [ … ] | Substring operator | Filter a specific word or text |
Display Filter Logical Operations
| English | C-like | Description | Example |
|---|---|---|---|
and | && | Logical AND |
|
or | || | Logical OR |
|
xor | ^^ | Logical XOR |
|
not | ! | Logical NOT |
|
[…] | Subsequence | See “Slice Operator” below. | |
in | Set Membership | http.request.method in {"HEAD", "GET"}. See “Membership Operator” below. |
Filtering Packets (Display Filters)
| Operator | Description | Example |
|---|---|---|
| eq or == | Equal | ip.dest == 192.168.1.1 |
| ne or != | Not equal | ip.dest != 192.168.1.1 |
| gt or > | Greater than | frame.len > 10 |
| it or < | less than | frame.len < 10 |
| ge or >= | Greater than or equal | frame.len >= 10 |
| le or <= | Less than or equal | frame.len <= 10 |
Display Filter comparison operators
| English | Alias | C-like | Description | Example |
|---|---|---|---|---|
eq | any_eq | == | Equal (any if more than one) |
|
ne | all_ne | != | Not equal (all if more than one) |
|
all_eq | === | Equal (all if more than one) |
| |
any_ne | !== | Not equal (any if more than one) |
| |
gt | > | Greater than |
| |
lt | < | Less than |
| |
ge | >= | Greater than or equal to |
| |
le | <= | Less than or equal to |
| |
contains | Protocol, field or slice contains a value |
| ||
matches | ~ | Protocol or text field matches a Perl-compatible regular expression |
|
Display Filter Arithmetic Operations
| Name | Syntax | Alternative | Description |
|---|---|---|---|
Unary minus | -A | Negation of A | |
Addition | A + B | Add B to A | |
Subtraction | A - B | Subtract B from A | |
Multiplication | A * B | Multiply A times B | |
Division | A / B | Divide A by B | |
Modulo | A % B | Remainder of A divided by B | |
Bitwise AND | A & B | A bitand B | Bitwise AND of A and B |
An unfortunate quirk in the filter syntax is that the subtraction operator must be preceded by a space character, so "A-B" must be written as "A -B" or "A - B".
Arithmetic expressions can be grouped using curly braces.
For example, frames where capture length resulted in truncated TCP options:
frame.cap_len < { 14 + ip.hdr_len + tcp.hdr_len }
Display Filter Functions
| Function | Description |
|---|---|
upper | Converts a string field to uppercase. |
lower | Converts a string field to lowercase. |
len | Returns the byte length of a string or bytes field. |
count | Returns the number of field occurrences in a frame. |
string | Converts a non-string field to a string. |
vals | Converts a field value to its value string, if it has one. |
dec | Converts an unsigned integer field to a decimal string. |
hex | Converts an unsigned integer field to a hexadecimal string. |
float | Converts a field to single precision floating point. |
double | Converts a field to double precision floating point. |
max | Return the maximum value for the arguments. |
min | Return the minimum value for the arguments. |
abs | Return the absolute value for the argument. |
The upper and lower functions can used to force case-insensitive matches: lower(http.server) contains "apache".
To find HTTP requests with long request URIs: len(http.request.uri) > 100. Note that the len function yields the string length in bytes rather than (multi-byte) characters.
Usually an IP frame has only two addresses (source and destination), but in case of ICMP errors or tunneling, a single packet might contain even more addresses. These packets can be found with count(ip.addr) > 2.
The string function converts a field value to a string, suitable for use with operators like "matches" or "contains". Integer fields are converted to their decimal representation. It can be used with IP/Ethernet addresses (as well as others), but not with string or byte fields.
For example, to match odd frame numbers:
string(frame.number) matches "[13579]$"
To match IP addresses ending in 255 in a block of subnets (172.16 to 172.31):
string(ip.dst) matches r"^172\.(1[6-9]|2[0-9]|3[0-1])\.[0-9]{1,3}\.255"
The vals function converts an integer or boolean field value to a string using the field’s associated value string, if it has one.
The double function converts certain field types to doubles, including floats, doubles (a no-op), integers, booleans, times (absolute times are converted to seconds since the UN*X epoch), and the special IEEE 11073 Personal Health Devices floating point formats. The results can be used with further arithmetic operations and, like other filters, placed in a custom column.
The functions max() and min() take any number of arguments of the same type and returns the largest/smallest respectively of the set.
max(tcp.srcport, tcp.dstport) <= 1024
Filter Types
| Name | Description |
|---|---|
| Capture filter | Filter packets during capture |
| Display filter | Hide packets from a capture display |
Wireshark Capturing Modes
| Name | Description |
|---|---|
| Promiscuous mode | Sets interface to capture all packets on a network segment to which it is associated to |
| Monitor mode | Setup the wireless interface to capture all traffic it can receive (Unix/ Linux only) |
Miscellaneous
| Name | Description |
|---|---|
| Slice Operator | [ … ] - Range of values |
| Membership Operator | {} - In |
| CTRL+E | Start/Stop Capturing |
Capture Filter Syntax
| Syntax | Protocol | Direction | Hosts | Value | Logical Operator | Expressions |
|---|---|---|---|---|---|---|
| Example | tcp | src | 192.168.1.1 | 80 | and | tcp dst 202.164.30.1 |
Display Filter Syntax
| Syntax | Protocol | String 1 | String 2 | Comparison Operator | Value | Logical Operator | Expressions |
|---|---|---|---|---|---|---|---|
| Example | http | dest | ip | == | 192.168.1.1 | and | tcp port |
Keyboard Shortcuts - Main Display Window
| Accelerator | Description | Accelerator | Description |
|---|---|---|---|
| Tab or Shift+Tab | Move between screen elements, e.g. from the toolbars to the packet list to the packet detail. | Alt+→ or Option→ | Move to the next packet in the selection history. |
| ↓ | Move to the next packet or detail item. | → | In the packet detail, opens the selected tree item. |
| ↑ | Move to the previous packet or detail item. | Shift+→ | In the packet detail, opens the selected tree items and all of its subtrees. |
| Ctrl+ ↓ or F8 | Move to the next packet, even if the packet list isn't focused. | Ctrl+→ | In the packet detail, opens all tree items. |
| Ctrl+ ↑ Or F7 | Move to the previous packet, even if the packet list isn't focused | Ctrl+← | In the packet detail, closes all the tree |
| Ctrl+. | Move to the next packet of the conversation (TCP, UDP or IP). | Backspace | In the packet detail, jumps to the parent node. |
| Ctrl+, | Move to the previous packet of the conversation (TCP, UDP or IP). | Return or Enter | In the packet detail, toggles the selected tree item. |
Protocols - Values
ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp and udp
Common Filtering Commands
| Usage | Filter Syntax |
|---|---|
| Wireshark Filter by IP | ip.add == 10.10.50.1 |
| Filter by Destination IP | ip.dest == 10.10.50.1 |
| Filter by Source IP | ip.src == 10.10.50.1 |
| Filter by IP range | ip.addr >= 10.10.50.1 and ip.addr <=10.10.50.100 |
| Filter by Multiple Ips | ip.addr == 10.10.50.1 and ip.addr == 10.10.50.100 |
| Filter out IP adress | ! (ip.addr == 10.10.50.1) |
| Filter subnet | ip.addr == 10.10.50.1/24 |
| Filter by port | tcp.port == 25 |
| Filter by destination port | tcp.dstport == 23 |
| Filter by ip adress and port | ip.addr == 10.10.50.1 and Tcp.port == 25 |
| Filter by URL | http.host == "host name" |
| Filter by time stamp | frame.time >= "June 02, 2019 18:04:00" |
| Filter SYN flag | Tcp.flags.syn == 1 and tcp.flags.ack ==0 |
| Wireshark Beacon Filter | wlan.fc.type_subtype = 0x08 |
| Wireshark broadcast filter | eth.dst == ff:ff:ff:ff:ff:ff |
| Wireshark multicast filter | (eth.dst[0] & 1) |
| Host name filter | ip.host = hostname |
| MAC address filter | eth.addr == 00:70:f4:23:18:c4 |
| RST flag filter | tcp.flag.reset == 1 |
Main Toolbar Items
| Toolbar Icon | Toolbar Item | Menu Item | Description |
|---|---|---|---|
| Start | Capture → Start | Uses the same packet capturing options as the previous session, or uses defaults if no options were set |
| Stop | Capture → Stop | Stops currently active capture |
| Restart | Capture → Restart | Restart active capture session |
| Options... | Capture → Options… | Opens "Capture Options" dialog box |
| Open... | File →open… | Opens "File open" dialog box to load a capture for viewing |
| Save As... | File → Save As… | Save current capture file |
| Close | File →Close | Close current capture file |
| Reload | View → Reload | Reload current capture file |
| Find Packet... | Edit →Find Packet… | Find packet based on different criteria |
| Go Back | Go → Go back | Jump back in the packet history |
| Go Forward | Go → Go Forward | Jump forward in the packet history |
| Go to Packet... | Go → Go to Packet… | Go to specific packet |
| Go to First Packet | Go → Go to First Packet | Jump to first packet of the capture file |
| Go to last Packet | Go → Go to last Packet | Jump to last packet of the capture file |
| Auto Scroll in Live Capture | View → Auto Scroll in Live Capture | Auto scroll packet list during live capture |
| Colorize | View → Colorize | Colorize the packet list (or not) |
| Zoom In | View → Zoom In | Zoom into the packet data (increase the font size) |
| Zoom Out | View → Zoom Out | Zoom out of the packet data (decrease the font size) |
| Normal Size | View → Normal Size | Set zoom level back to 100% |
| Resize Columns | View → Resize Columns | Resize columns, so the content fits the width |
参考:
