Skip to main content

Wireshark Cheat Sheet

Capture Filters

Applied before capture — reduces data collected (BPF syntax).

# By host
host 192.168.1.1
src host 192.168.1.1
dst host 192.168.1.1

# By network
net 192.168.1.0/24

# By port
port 80
src port 1024
dst port 443
portrange 8000-9000
not port 22

# By protocol
tcp
udp
icmp
arp
ip6

# Combinations
host 192.168.1.1 and port 80
port 80 or port 443
not arp and not icmp

# Capture specific TCP flags (SYN packets)
tcp[tcpflags] & tcp-syn != 0

Display Filters

Applied after capture — filter what you see.

# IP address
ip.addr == 192.168.1.1
ip.src == 192.168.1.1
ip.dst == 10.0.0.1

# Port
tcp.port == 80
udp.port == 53
tcp.srcport == 443

# Protocol
http
dns
tls
ssh
ftp
smtp
smb

# HTTP specific
http.request.method == "POST"
http.response.code == 200
http.host contains "example.com"
http.request.uri contains "login"

# DNS
dns.qry.name contains "google"
dns.flags.response == 1

# Search packet content
frame contains "password"
tcp contains "Authorization"

# TCP flags
tcp.flags.syn == 1
tcp.flags.reset == 1
tcp.flags.fin == 1
tcp.flags == 0x002      # SYN only
tcp.flags == 0x012      # SYN-ACK

Useful Filters for Security Analysis

# Failed login attempts (HTTP 401/403)
http.response.code == 401 or http.response.code == 403

# Cleartext credentials
http.request.method == "POST" and http contains "password"

# DNS exfiltration (unusually long hostnames)
dns.qry.name.len > 50

# ARP scanning
arp.opcode == 1

# ICMP scanning / ping sweep
icmp.type == 8

# SMB traffic
smb or smb2

# TLS certificate details
tls.handshake.certificate

Statistics & Analysis

Statistics > Protocol Hierarchy    — See traffic breakdown by protocol
Statistics > Conversations         — IP/TCP/UDP conversation pairs
Statistics > Endpoints             — Unique hosts and traffic volume
Statistics > IO Graphs             — Traffic over time
Analyze > Expert Information       — Errors, warnings, notes
Analyze > Follow TCP Stream        — Reassemble a TCP conversation

Export & Extract

File > Export Specified Packets    — Save filtered subset
File > Export Objects > HTTP       — Extract HTTP files/downloads
File > Export Objects > SMB        — Extract SMB transferred files

Command Line (tshark)

# Capture to file
tshark -i eth0 -w capture.pcap

# Read and filter
tshark -r capture.pcap -Y "http.request"

# Read specific fields
tshark -r capture.pcap -T fields -e ip.src -e ip.dst -e http.request.uri

# Follow TCP stream
tshark -r capture.pcap -q -z follow,tcp,ascii,0

# Statistics
tshark -r capture.pcap -q -z io,phs          # Protocol hierarchy
tshark -r capture.pcap -q -z conv,tcp        # TCP conversations