Wireshark Display Filter

Wireshark Display Filter

Wireshark Display Filter

If we want to see everything which source IP is 192.168.0.205 we can use this kind of filter (src = source):
ip.src == 192.168.0.205

and if we want to see everything which destination IP is 192.168.0.205 we can use this kind of filter (dst = destination):
ip.dst == 192.168.0.205

Sometimes we want to see everything but not the traffic what comes from our own computer (let’s say that our computer IP is 192.168.0.206):
!ip.addr == 192.168.0.206
this will filter out everything what has something to do with IP 192.168.0.206

If we want to see everything what has something to do with our computer we can use this kind of filter:
ip.addr == 192.168.0.206

or with /24 you can use:
ip.addr == 192.168.0.1/24

Sometimes we only want to see traffic from specific port. Let’s say we want to see all traffic on port 80:
tcp.port 80

If we only want to see all traffic on port 80 from/to our computer we can combine two filter together and use:
tcp.port 80 && ip.addr == 192.168.0.206
So you have to use && when you want to combine two or more parameters(?)

If we want to filter everything with MAC-address 00:11:22:33:44:55 we can use filter like this:
eth.addr == 00:11:22:33:44:55

of course we can combine all of these so if we example want to see TCP port 22 traffic from a device which MAC-address is 00:11:22:33:44:55 we can use this kind of filter:
eth.addr == 00:11:22:33:44:55 && tcp.port 22

If we want to see all traffic which goes to TCP port 22 we can use filter like this:
tcp.dstport == 22

Or all traffic which comes from TCP port 22:
tcp.srcport == 22

So if we want to see all traffic what comes from IP 192.168.0.206 and goes to TCP port 22 filter will look like this:
ip.src == 192.168.0.206 && tcp.dstport == 22

If we want to see all traffic but not which use TCP port 22 we use this kind of filter:
tcp.port != 22

If you want to filter UDP ports just use udp.port instead of tcp.port and so on

If you for some weird reason only want to see ICMP traffic then just use filter:
icmp

and if you want to see everything else but not ICMP traffic filter will of course be:
!icmp

If you want to see traffic which contains example word “password” on frame you can use filter like this:
frame contains "password"

If you want to sniff ftp password and login you can combine two filter:
frame contains "password" || frame contains "user"

We can also use contains example with http.user_agent like this:
http.user_agent contains "MSIE 8.0"
With that filter we will display only traffic which http.user_agent contains word MSIE 8.0

Of course you can use only MSIE if you don’t care which version of IE user if using:
http.user_agent contains "MSIE"

Some protocol you can filter just with their name example spanningtree (stp):
!stp
filters all stp traffic away but if you example just want to see DNS traffic just use filter
dns
or just DHCP traffic:
bootp

== means is
&& means AND
|| means OR
! means NOT

3 comments to Wireshark Display Filter

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>