Wireshark Display Filter Cheatsheet

Quick reference for Wireshark display and capture filters covering protocol filters, HTTP, DNS, TCP analysis, statistics, and export options

Related Categories:Network

67 commands

ip.addr == {ip}

Show packets for specific IP

ip.addr == 192.168.1.1

ip.src == {ip}

Filter by source IP

ip.src == 10.0.0.1

ip.dst == {ip}

Filter by destination IP

ip.dst == 10.0.0.2

ip.addr == {cidr}

Filter by subnet

ip.addr == 192.168.1.0/24

eth.addr == {mac}

Filter by MAC address

eth.addr == aa:bb:cc:dd:ee:ff

frame.len > {n}

Frames larger than n bytes

frame.len > 1000

frame.time >= "date"

Frames after specified time

frame.time >= "2024-01-01 00:00:00"

frame.number == {n}

Show specific frame number

frame.number == 100

!(filter)

Negate filter (NOT)

!(ip.addr == 10.0.0.1)

filter1 && filter2

Combine filters with AND

ip.src == 10.0.0.1 && tcp.port == 80

filter1 || filter2

Combine filters with OR

tcp.port == 80 || tcp.port == 443

host {ip}

Capture traffic for host

host 192.168.1.1

net {cidr}

Capture by network range

net 192.168.1.0/24

port {n}

Capture traffic on port

port 443

portrange {a}-{b}

Capture port range

portrange 8000-9000

tcp

Capture TCP only

tcp

udp

Capture UDP only

udp

not broadcast

Exclude broadcast traffic

not broadcast and not multicast

tcp

TCP protocol packets

tcp

udp

UDP protocol packets

udp

icmp

ICMP protocol packets

icmp

arp

ARP protocol packets

arp

tls

TLS/SSL protocol packets

tls

ssh

SSH protocol packets

ssh

ftp

FTP protocol packets

ftp

smtp

SMTP protocol packets

smtp

http

HTTP protocol packets

http

http.request

Show HTTP requests only

http.request

http.response

Show HTTP responses only

http.response

http.request.method == "GET"

HTTP GET requests

http.request.method == "GET"

http.request.method == "POST"

HTTP POST requests

http.request.method == "POST"

http.request.uri contains "path"

Requests with URI containing string

http.request.uri contains "/api"

http.host == "domain"

HTTP requests to specific domain

http.host == "example.com"

http.response.code == {n}

Specific HTTP status code

http.response.code == 404

http.response.code >= 400

HTTP error responses

http.response.code >= 400

http.content_type contains "json"

HTTP packets with JSON content

http.content_type contains "json"

dns

DNS protocol packets

dns

dns.qry.name == "domain"

DNS queries for specific domain

dns.qry.name == "example.com"

dns.qry.name contains "str"

DNS queries containing string

dns.qry.name contains "google"

dns.qry.type == 1

A record queries

dns.qry.type == 1

dns.qry.type == 28

AAAA record queries

dns.qry.type == 28

dns.qry.type == 15

MX record queries

dns.qry.type == 15

dns.flags.response == 1

Show DNS responses only

dns.flags.response == 1

dns.flags.rcode != 0

DNS error responses

dns.flags.rcode != 0

tcp.port == {n}

Packets on specific TCP port

tcp.port == 443

tcp.flags.syn == 1

Packets with SYN flag

tcp.flags.syn == 1

tcp.flags.reset == 1

Packets with RST flag

tcp.flags.reset == 1

tcp.flags.fin == 1

Packets with FIN flag

tcp.flags.fin == 1

tcp.analysis.retransmission

TCP retransmission packets

tcp.analysis.retransmission

tcp.analysis.duplicate_ack

Duplicate ACK packets

tcp.analysis.duplicate_ack

tcp.analysis.zero_window

Zero window packets

tcp.analysis.zero_window

tcp.stream eq {n}

Follow specific TCP stream

tcp.stream eq 5

tcp.window_size < {n}

Packets with small window size

tcp.window_size < 1000

Statistics > Conversations

Show conversations between hosts

Statistics > Conversations

Statistics > Endpoints

Show endpoint statistics

Statistics > Endpoints

Statistics > Protocol Hierarchy

Protocol hierarchy statistics

Statistics > Protocol Hierarchy

Statistics > I/O Graphs

Display I/O graphs

Statistics > I/O Graphs

Statistics > Flow Graph

Display flow graph

Statistics > Flow Graph

Analyze > Follow > TCP Stream

Follow TCP stream

Analyze > Follow > TCP Stream

Analyze > Expert Information

Show expert information

Analyze > Expert Information

File > Export Objects > HTTP

Export HTTP objects

File > Export Objects > HTTP

File > Export Packet Dissections

Export packet dissections

File > Export Packet Dissections > As CSV

tshark -r {file}

Read pcap file from command line

tshark -r capture.pcap

tshark -Y "filter"

Apply display filter from CLI

tshark -Y "http.request" -r capture.pcap

tshark -T fields -e {field}

Extract specific fields

tshark -T fields -e ip.src -e ip.dst -r cap.pcap

editcap -c {n} {in} {out}

Split pcap file by packet count

editcap -c 1000 large.pcap split.pcap

mergecap -w {out} {files}

Merge multiple pcap files

mergecap -w merged.pcap file1.pcap file2.pcap