CyberCheatsheets

Wireshark Filters Cheat Sheet

Wireshark display and capture filter syntax for slicing packet captures during analysis and forensics.

Network & Protocoldisplay-filterspacket-analysispcaptsharkwiresharkUpdated 2026-06-17

Overview

Wireshark has two filter languages that are easy to confuse. Capture filters (BPF syntax, like tcpdump) decide what gets recorded. Display filters (Wireshark's own syntax) decide what you see from an already-captured set. This sheet focuses on display filters—the ones you type in the green bar—plus the most useful capture filters.

Authorized testing only. Capture traffic only on networks you own or have explicit written permission to monitor.

Display filters — addresses & ports

Any packet to/from this host

ip.addr == 10.10.10.5

Specific source AND destination

ip.src == 10.10.10.5 && ip.dst == 10.10.10.1

Traffic on port 443 (either direction)

tcp.port == 443

Whole subnet

ip.addr == 10.0.0.0/24

Exclude a host (negation)

!(ip.addr == 10.10.10.5)

Display filters — protocols

All HTTP traffic

http

All DNS traffic

dns

All TCP; also try udp, icmp, arp, tls

tcp

TLS Client Hello (find SNI / negotiated certs)

tls.handshake.type == 1

SMB traffic (both versions)

smb || smb2

Display filters — HTTP analysis

POST requests (often contain creds)

http.request.method == "POST"

URIs containing a substring

http.request.uri contains "login"

Successful responses

http.response.code == 200

Requests to a specific host header

http.host == "example.com"

Any packet whose bytes contain a string

frame contains "password"

Display filters — TCP analysis

SYN-only packets (port scan / connection starts)

tcp.flags.syn == 1 && tcp.flags.ack == 0

Retransmissions (packet loss / latency)

tcp.analysis.retransmission

RST packets (refused/closed connections)

tcp.flags.reset == 1

Isolate one TCP conversation by stream index

tcp.stream eq 3

Capture filters (BPF — set before capturing)

Only capture traffic to/from a host

host 10.10.10.5

Only web ports

port 80 or port 443

Only SSH

tcp port 22

Drop noisy broadcast chatter

not arp and not stp

Quick one-liners (tshark)

Apply a display filter from the CLI

tshark -r capture.pcap -Y 'http.request.method=="POST"'

Extract specific fields as a table

tshark -r capture.pcap -Y http -T fields -e ip.src -e http.host -e http.request.uri

Follow and print one TCP stream

tshark -r capture.pcap -q -z follow,tcp,ascii,3

List all TCP conversations

tshark -r capture.pcap -q -z conv,tcp

Tips

  • Display filters use == ; capture filters use BPF (host/port/net) — mixing them is the #1 mistake.
  • Right-click any packet field → Apply as Filter to build complex filters without memorizing syntax.
  • Use 'Follow → TCP Stream' to reconstruct a full conversation (Ctrl+Alt+Shift+T).
  • frame contains "x" searches raw bytes; use it to grep for keywords across all protocols.

References

Chuletas relacionadas