WIRESHARK FILTERS
Capture Only What Matters. Analyze Better, Faster.
Two Types of Filters
🔽 Capture Filters
Used to control which packets are captured.
- Applied before capture
- Less resource usage
- Syntax: Berkeley Packet Filter (BPF)
🔍 Display Filters
Used to refine packets that are already captured.
- Applied after capture
- More powerful & flexible
- Syntax: Wireshark Display Filter
Display Filter Basics
| == | Equal |
| != | Not equal |
| > | Greater than |
| < | Less than |
| && | AND |
| || | OR |
| ! | NOT |
| () | Group expressions |
Common Wireshark Display Filters
| Filter | Description | Example / Use Case |
|---|---|---|
| IPv4ip.addr == 192.168.1.1 | Show packets to or from an IP address | Traffic involving host 192.168.1.1 |
| IPv4ip.src == 10.0.0.5 | Show packets from source IP | Find traffic sent by 10.0.0.5 |
| IPv4ip.dst == 10.0.0.5 | Show packets to destination IP | Find traffic sent to 10.0.0.5 |
| IPv4ip.addr == 10.0.0.5 | Show packets to or from an IP (any direction) | Detect all traffic with 10.0.0.5 |
| TCPtcp.port == 80 | Show TCP packets on a specific port | HTTP traffic |
| TCPtcp.port == 443 | Show TCP packets on a specific port | HTTPS traffic |
| UDPudp.port == 53 | Show UDP packets on a specific port | DNS traffic |
| TCPtcp.flags.syn == 1 && tcp.flags.ack == 0 | Show TCP SYN packets (connection attempts) | Find connection attempts / port scans |
| HTTPhttp | Show HTTP traffic | All HTTP requests & responses |
| dns | Show DNS traffic | All DNS queries & responses |
| icmp | Show ICMP traffic | Ping & network diagnostics |
| !(arp) | Exclude ARP packets | Hide ARP, show other traffic |
| tcp.port == 80 || tcp.port == 443 | Show traffic for HTTP or HTTPS | Web traffic (HTTP/HTTPS) |
| ip.addr == 10.0.0.5 && tcp.port == 22 | Traffic with specific IP and port | SSH traffic to/from 10.0.0.5 |
☠️
Threat Detection & Intrusion Analysis
For cybersecurity professionals
| Filter | Description | Threat / Use Case |
|---|---|---|
| SECtcp.flags.syn == 1 && tcp.flags.ack == 0 && ip.src != 10.0.0.0/8 | External SYN packets hitting internal hosts | External port scan / reconnaissance |
| SECtcp.flags == 0x29 | TCP Xmas scan (FIN+PSH+URG set) | Nmap Xmas stealth scan detection |
| SECtcp.flags == 0x00 | TCP NULL scan (no flags set) | Null scan evasion attempt |
| SECicmp.type == 8 && ip.src == X.X.X.X | ICMP echo requests from a single source | ICMP flood / ping sweep |
| SECarp.duplicate-address-detected | Duplicate IP detected via ARP | ARP spoofing / MITM attack |
| SECarp.opcode == 2 && !(arp.src.proto_ipv4 == arp.dst.proto_ipv4) | Unsolicited ARP replies | Gratuitous ARP / cache poisoning |
| SMBsmb || smb2 | All SMB protocol traffic | EternalBlue / ransomware lateral movement |
| SMBsmb2.cmd == 5 && smb2.flags.response == 0 | SMB2 Create requests | Remote file access / ransomware staging |
| TCPtcp.port == 4444 || tcp.port == 1337 || tcp.port == 31337 | Common backdoor/C2 ports | Metasploit / reverse shell beaconing |
| TCPtcp.port == 6667 || tcp.port == 6697 | IRC protocol ports | Botnet C2 over IRC |
| HTTPhttp.request.method == "POST" && http.content_type contains "application/x-www-form-urlencoded" | Form POST submissions in plaintext HTTP | Credential harvesting / data exfil |
| HTTPhttp.request.uri contains ".php" && http.request.method == "POST" | POST to PHP endpoints | Web shell communication |
| HTTPhttp.response.code == 200 && http.content_type contains "application/octet-stream" | Binary file delivery over HTTP | Malware/dropper download |
| TLStls.handshake.type == 1 | TLS Client Hello packets | Map all TLS connections initiated |
| TLStls.record.version == 0x0300 | SSLv3 usage detected | POODLE attack surface / deprecated TLS |
| UDPdns.qry.name contains ".onion" | DNS queries for .onion domains | Tor usage / dark web C2 contact |
| UDPdns.resp.ttl < 5 | DNS responses with extremely low TTL | Fast-flux DNS / botnet infrastructure |
| UDPdns && dns.qry.name.len > 50 | Unusually long DNS query names | DNS tunneling / data exfiltration |
| SECip.ttl < 5 && !icmp | Non-ICMP packets with very low TTL | TTL manipulation / traceroute evasion |
| SECframe.len > 1400 && icmp | Oversized ICMP packets | ICMP tunneling / covert data channel |
| TCPtcp.analysis.retransmission | TCP retransmissions | Network stress / DoS indicators |
| TCPtcp.analysis.zero_window | TCP zero window conditions | Resource exhaustion / slow loris DoS |
| SECftp.request.command == "PASS" | FTP password transmission | Plaintext credential capture |
| SECtelnet | All Telnet protocol traffic | Unencrypted remote access / keylogging |
| HTTPhttp.user_agent contains "sqlmap" || http.user_agent contains "Nikto" || http.user_agent contains "Nmap" | Known scanner user-agent strings | Active exploitation tool detection |
| HTTPhttp.request.uri contains "union+select" || http.request.uri contains "../" | SQLi and path traversal patterns in URI | Web application attack in progress |
🌐
OSINT & Network Reconnaissance Filters
Passive intelligence gathering
| Filter | Description | OSINT Use Case |
|---|---|---|
| OSINThttp.host | Extract all HTTP Host header values | Map all domains a host communicates with |
| OSINTdns.resp.name && dns.a | DNS A record responses | Build IP-to-domain mapping from passive DNS |
| OSINTdns.qry.type == 28 | DNS AAAA (IPv6) queries | Discover IPv6 infrastructure in use |
| OSINTdns.qry.type == 15 | DNS MX record queries | Identify mail infrastructure / mail providers |
| OSINTdns.qry.type == 16 | DNS TXT record queries | Reveal SPF, DKIM, domain verification tokens |
| TLStls.handshake.extensions_server_name | TLS SNI (Server Name Indication) field | Extract hostnames from encrypted HTTPS traffic |
| TLStls.handshake.certificate | TLS certificate in handshake | Extract cert CN, SANs, issuer for target profiling |
| HTTPhttp.request.method == "GET" && http.request.uri contains "?" | GET requests with query parameters | Map API calls, track parameters passed to web apps |
| HTTPhttp.set_cookie | HTTP Set-Cookie headers | Session token harvesting / tracking cookie analysis |
| HTTPhttp.referer | HTTP Referer header | Trace navigation paths / referral chains |
| OSINThttp.user_agent | HTTP User-Agent strings | OS/browser fingerprinting of client devices |
| UDPdhcp | All DHCP traffic | Discover hostnames, MACs, vendor IDs on network |
| OSINTnbns | NetBIOS Name Service traffic | Enumerate Windows hostnames without DNS |
| UDPmdns | Multicast DNS (mDNS) traffic | Discover .local devices — IoT, printers, Apple |
| OSINTssdp | Simple Service Discovery Protocol | UPnP device enumeration on LAN |
| OSINTeth.addr == ff:ff:ff:ff:ff:ff | All broadcast Ethernet frames | Passive network topology mapping |
| OSINTip.dst == 255.255.255.255 | IPv4 broadcast packets | Identify broadcast-heavy protocols & services |
| OSINTip.dst >= 224.0.0.0 && ip.dst <= 239.255.255.255 | IPv4 multicast range | Discover multicast groups, routing protocols |
| OSINTsmtp || pop || imap | Email protocol traffic | Identify mail clients, servers, unencrypted content |
| OSINTftp.request.command == "USER" || ftp.request.command == "PASS" | FTP authentication commands | Capture FTP credentials in plaintext |
| OSINThttp.server | HTTP Server response header | Fingerprint web server software & version |
| OSINThttp.x_forwarded_for | X-Forwarded-For header | Reveal original client IPs behind proxies/CDNs |
THREAT LEVEL:
High — Likely malicious, investigate immediately
Medium — Suspicious, context-dependent
Low — Informational / audit use
Capture Filter Examples (BPF Syntax)
| Filter | Description |
|---|---|
| host 192.168.1.1 | Capture traffic to or from a host |
| net 192.168.1.0/24 | Capture traffic for a network |
| port 80 | Capture traffic on port 80 |
| host 192.168.1.1 and port 443 | Capture HTTPS traffic with a host |
| not port 22 | Capture all traffic except port 22 |
Tips
Use capture filters to reduce unnecessary packet capture.
Use display filters to drill down and analyze.
Combine filters with && and || for powerful results.
Save frequently used filters in Wireshark for quick access.
💡 PRO TIP
Filter early. Focus sharp. Debug smart.
Wireshark gives you the visibility. Filters give you the clarity.
Wireshark gives you the visibility. Filters give you the clarity.
WIRESHARK
