Wireshark Filters

Wireshark display filters and capture filters for network analysis.

Protocol Filters

tcp

Show only TCP packets

udp

Show only UDP packets

http

Show only HTTP traffic

https

Show only HTTPS traffic

dns

Show only DNS traffic

ssh

Show only SSH traffic

ftp

Show only FTP traffic

smtp

Show only SMTP traffic

icmp

Show only ICMP packets

arp

Show only ARP packets

IP Address Filters

ip.addr == 192.168.1.1

Show packets from or to specific IP

ip.src == 192.168.1.1

Show packets from specific source IP

ip.dst == 192.168.1.1

Show packets to specific destination IP

ip.addr == 192.168.1.0/24

Show packets from or to specific subnet

!(ip.addr == 192.168.1.1)

Exclude specific IP address

ip.src != 192.168.1.1

Exclude packets from source IP

Port Filters

tcp.port == 80

Show packets on TCP port 80

tcp.srcport == 80

Show packets from source TCP port 80

tcp.dstport == 443

Show packets to destination TCP port 443

udp.port == 53

Show packets on UDP port 53

tcp.port >= 1024

Show TCP packets on ports 1024 and above

tcp.port == 80 || tcp.port == 443

Show HTTP or HTTPS traffic

HTTP Filters

http.request

Show only HTTP requests

http.response

Show only HTTP responses

http.request.method == "GET"

Show only HTTP GET requests

http.request.method == "POST"

Show only HTTP POST requests

http.host == "example.com"

Filter by HTTP host

http.request.uri contains "login"

Filter URLs containing "login"

http.response.code == 200

Show HTTP 200 OK responses

http.response.code >= 400

Show HTTP error responses

http.cookie contains "session"

Filter by cookie content

http.user_agent contains "Mozilla"

Filter by user agent

TCP Flags

tcp.flags.syn == 1

Show SYN packets (connection initiation)

tcp.flags.ack == 1

Show ACK packets

tcp.flags.fin == 1

Show FIN packets (connection termination)

tcp.flags.reset == 1

Show RST packets (connection reset)

tcp.flags.push == 1

Show PSH packets (push data)

tcp.flags == 0x002

Show SYN packets only

tcp.flags == 0x012

Show SYN-ACK packets

tcp.analysis.retransmission

Show TCP retransmissions

tcp.analysis.duplicate_ack

Show duplicate ACKs

DNS Filters

dns.qry.name == "example.com"

Filter by DNS query name

dns.qry.type == 1

Show A record queries

dns.qry.type == 28

Show AAAA record queries

dns.qry.type == 15

Show MX record queries

dns.flags.response == 0

Show DNS queries only

dns.flags.response == 1

Show DNS responses only

dns.flags.rcode != 0

Show DNS errors

TLS/SSL Filters

ssl

Show all TLS/SSL traffic

ssl.handshake

Show TLS handshake packets

ssl.handshake.type == 1

Show Client Hello messages

ssl.handshake.type == 2

Show Server Hello messages

ssl.handshake.extensions_server_name

Show SNI extensions

ssl.record.content_type == 23

Show application data

ssl.alert_message

Show TLS alert messages

Logical Operators

tcp && ip.addr == 192.168.1.1

AND operator (both conditions)

tcp || udp

OR operator (either condition)

!(http)

NOT operator (exclude HTTP)

tcp.port == 80 && ip.addr == 192.168.1.1

Multiple AND conditions

(tcp.port == 80 || tcp.port == 443) && ip.src == 192.168.1.1

Complex filter with grouping

String Search

tcp contains "password"

Find "password" in TCP packets

http.request.uri contains "admin"

Find "admin" in URIs

frame contains "secret"

Find "secret" in any packet

tcp matches "(?i)password"

Case-insensitive regex search

data.text contains "login"

Search in packet data text

Time Filters

frame.time >= "2024-01-01 00:00:00"

Packets after specific time

frame.time_delta > 1

Packets with > 1 second gap

tcp.time_delta > 0.1

TCP packets with > 100ms gap

frame.number > 100

Packets after frame 100

Size Filters

frame.len > 1000

Packets larger than 1000 bytes

frame.len < 64

Packets smaller than 64 bytes

tcp.len > 0

TCP packets with payload

http.content_length > 10000

HTTP responses > 10KB

Capture Filters

host 192.168.1.1

Capture traffic to/from specific host

net 192.168.1.0/24

Capture traffic from subnet

port 80

Capture traffic on port 80

tcp port 443

Capture TCP traffic on port 443

not broadcast and not multicast

Exclude broadcast/multicast

src host 192.168.1.1

Capture from source host only

dst host 192.168.1.1

Capture to destination host only

ether host aa:bb:cc:dd:ee:ff

Capture by MAC address