Wireshark Filter Reference

wireshark cheatsheet filters


Filter Types

TypeWhen AppliedUse Case
Capture FilterDuring captureReduce file size, capture only relevant traffic
Display FilterAfter captureAnalyze subset of captured packets

Note: Capture filters use BPF syntax (tcpdump-style). Display filters use Wireshark’s own syntax.


Display Filter Syntax

Operators

OperatorMeaningExample
== or eqEqualsip.addr == 10.1.1.1
!= or neNot equalstcp.port != 22
> or gtGreater thanframe.len > 1000
< or ltLess thantcp.window_size < 1000
>= or geGreater or equalip.ttl >= 64
<= or leLess or equaltcp.analysis.rtt <= 0.1
containsContains stringhttp.host contains "api"
matches or ~Regex matchhttp.request.uri matches ".*\\.jpg"

Logical Operators

OperatorMeaningExample
and or &&Both trueip.src == 10.1.1.1 and tcp.port == 443
or or ||Either truetcp.port == 80 or tcp.port == 443
not or !Negatenot arp
()Grouping(tcp.port == 80 or tcp.port == 443) and ip.src == 10.1.1.1

IP Filters

FilterDescription
ip.addr == 10.1.1.1Source OR destination
ip.src == 10.1.1.1Source only
ip.dst == 10.1.1.1Destination only
ip.addr == 10.1.1.0/24Subnet (CIDR)
ip.src == 10.1.1.0/24 and ip.dst == 10.2.2.0/24Between subnets

TCP/UDP Filters

FilterDescription
tcpAll TCP traffic
udpAll UDP traffic
tcp.port == 443Source OR destination port
tcp.srcport == 443Source port
tcp.dstport == 443Destination port
tcp.port in {80 443 8080}Multiple ports
tcp.flags.syn == 1SYN packets
tcp.flags.syn == 1 and tcp.flags.ack == 0SYN only (new connections)
tcp.flags.rst == 1RST packets
tcp.flags.fin == 1FIN packets

HTTP Filters

FilterDescription
httpAll HTTP traffic
http.requestHTTP requests only
http.responseHTTP responses only
http.request.method == "GET"GET requests
http.request.method == "POST"POST requests
http.host == "example.com"Specific host
http.host contains "api"Host contains string
http.request.uri contains "/login"URI path
http.response.code == 200Status code
http.response.code >= 400Error responses

TLS/SSL Filters

FilterDescription
tlsAll TLS traffic
tls.handshakeHandshake messages
tls.handshake.type == 1Client Hello
tls.handshake.type == 2Server Hello
tls.handshake.extensions_server_nameSNI field present
tls.handshake.extensions_server_name == "example.com"Specific SNI
tls.alert_messageTLS alerts
ssl.handshake.ciphersuiteCipher suite negotiation

DNS Filters

FilterDescription
dnsAll DNS
dns.qry.name == "example.com"Query for domain
dns.qry.name contains "example"Query contains
dns.qry.type == 1A record queries
dns.qry.type == 28AAAA record queries
dns.flags.response == 1DNS responses
dns.flags.rcode != 0DNS errors

Troubleshooting Filters

Connection Issues

FilterWhat It Finds
tcp.analysis.retransmissionRetransmitted packets
tcp.analysis.fast_retransmissionFast retransmissions
tcp.analysis.duplicate_ackDuplicate ACKs
tcp.analysis.zero_windowZero window (receiver buffer full)
tcp.analysis.window_fullSender limited by receiver window
tcp.analysis.lost_segmentLost segment detected
tcp.flags.rst == 1Connection resets

Performance Issues

FilterWhat It Finds
tcp.analysis.ack_rtt > 0.2High RTT (>200ms)
frame.time_delta > 1Gaps > 1 second
tcp.window_size < 1000Small TCP window

Combined Troubleshooting

tcp.analysis.retransmission or tcp.analysis.duplicate_ack or tcp.analysis.zero_window

Capture Filters (BPF Syntax)

FilterDescription
host 10.1.1.1To or from IP
src host 10.1.1.1From IP
dst host 10.1.1.1To IP
net 10.1.1.0/24Subnet
port 443Port (TCP or UDP)
tcp port 443TCP port only
portrange 8000-8100Port range
not port 22Exclude port
host 10.1.1.1 and port 443Combined

Workflow Examples

Investigate Slow Application

# Find retransmissions between client and server
ip.addr == [client] and ip.addr == [server] and tcp.analysis.retransmission

# Check for high latency
ip.addr == [client] and ip.addr == [server] and tcp.analysis.ack_rtt > 0.1

Troubleshoot TLS Handshake Failures

# See handshake messages
ip.addr == [server] and tls.handshake

# Check for alerts
ip.addr == [server] and tls.alert_message

Find Why Connections Reset

# RST packets with context
tcp.flags.rst == 1 and ip.addr == [target]

# Follow TCP stream of a reset connection to see what happened