Wireshark Query Cheatsheet
Source=https://www.stationx.net/
Last updated
Source=https://www.stationx.net/
Last updated
TOOLBAR ICON
TOOLBAR ITEM
MENU ITEM
DESCRIPTION
Start
Capture → Start
Uses the same packet capturing options as the previous session, or uses defaults if no options were set
Stop
Capture → Stop
Stops currently active capture
Restart
Capture → Restart
Restart active capture session
Options...
Capture → Options…
Opens "Capture Options" dialog box
Open...
File →open…
Opens "File open" dialog box to load a capture for viewing
Save As...
File → Save As…
Save current capture file
Close
File →Close
Close current capture file
Reload
View → Reload
Reload current capture file
Find Packet...
Edit →Find Packet…
Find packet based on different criteria
Go Back
Go → Go back
Jump back in the packet history
Go Forward
Go → Go Forward
Jump forward in the packet history
Go to Packet...
Go → Go to Packet…
Go to specific packet
Go to First Packet
Go → Go to First Packet
Jump to first packet of the capture file
Go to last Packet
Go → Go to last Packet
Jump to last packet of the capture file
Auto Scroll in Live Capture
View → Auto Scroll in Live Capture
Auto scroll packet list during live capture
Colorize
View → Colorize
Colorize the packet list (or not)
Zoom In
View → Zoom In
Zoom into the packet data (increase the font size)
Zoom Out
View → Zoom Out
Zoom out of the packet data (decrease the font size)
Normal Size
View → Normal Size
Set zoom level back to 100%
Resize Columns
View → Resize Columns
Resize columns, so the content fits the width
NAME
DESCRIPTION
No.
Frame number from the beginning of the packet capture
Time
Seconds from the first frame
Source (src)
Source address, commonly an IPv4, IPv6 or Ethernet address
Destination (dst)
Destination address
Protocol
Protocol used in the Ethernet frame, IP packet, or TC segment
Length
Length of the frame in bytes
OPERATOR
DESCRIPTION
EXAMPLE
and or &&
Logical AND
All the conditions should match
or or ||
Logical OR
Either all or one of the conditions should match
xor or ^^
Logical XOR
Exclusive alterations - only one of the two conditions should match not both
not or !
Not (Negation)
Not equal to
[ n ] [ … ]
Substring operator
Filter a specific word or text
OPERATOR
DESCRIPTION
EXAMPLE
eq or ==
Equal
ip.dest == 192.168.1.1
ne or !=
Not equal
ip.dest != 192.168.1.1
gt or >
Greater than
frame.len > 10
it or <
less than
frame.len < 10
ge or >=
Greater than or equal
frame.len >= 10
le or <=
Less than or equal
frame.len <= 10
NAME
DESCRIPTION
Capture filter
Filter packets during capture
Display filter
Hide packets from a capture display
NAME
DESCRIPTION
Promiscuous mode
Sets interface to capture all packets on a network segment to which it is associated to
Monitor mode
Setup the wireless interface to capture all traffic it can receive (Unix/ Linux only)
NAME
DESCRIPTION
Slice Operator
[ … ] - Range of values
Membership Operator
{} - In
CTRL+E
Start/Stop Capturing
SYNTAX
PROTOCOL
DIRECTION
HOSTS
VALUE
LOGICAL OPERATOR
EXPRESSIONS
Example
tcp
src
192.168.1.1
80
and
tcp dst 202.164.30.1
SYNTAX
PROTOCOL
STRING 1
STRING 2
COMPARISON OPERATOR
VALUE
LOGICAL OPERATOR
EXPRESSIONS
Example
http
dest
ip
==
192.168.1.1
and
tcp port
ACCELERATOR
DESCRIPTION
ACCELERATOR
DESCRIPTION
Tab or Shift+Tab
Move between screen elements, e.g. from the toolbars to the packet list to the packet detail.
Alt+→ or Option→
Move to the next packet in the selection history.
↓
Move to the next packet or detail item.
→
In the packet detail, opens the selected tree item.
↑
Move to the previous packet or detail item.
Shift+→
In the packet detail, opens the selected tree items and all of its subtrees.
Ctrl+ ↓ or F8
Move to the next packet, even if the packet list isn't focused.
Ctrl+→
In the packet detail, opens all tree items.
Ctrl+ ↑ Or F7
Move to the previous packet, even if the packet list isn't focused
Ctrl+←
In the packet detail, closes all the tree
Ctrl+.
Move to the next packet of the conversation (TCP, UDP or IP).
Backspace
In the packet detail, jumps to the parent node.
Ctrl+,
Move to the previous packet of the conversation (TCP, UDP or IP).
Return or Enter
In the packet detail, toggles the selected tree item.
ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp and udp
USAGE
FILTER SYNTAX
Wireshark Filter by IP
ip.add == 10.10.50.1
Filter by Destination IP
ip.dest == 10.10.50.1
Filter by Source IP
ip.src == 10.10.50.1
Filter by IP range
ip.addr >= 10.10.50.1 and ip.addr <=10.10.50.100
Filter by Multiple Ips
ip.addr == 10.10.50.1 and ip.addr == 10.10.50.100
Filter out IP adress
! (ip.addr == 10.10.50.1)
Filter subnet
ip.addr == 10.10.50.1/24
Filter by port
tcp.port == 25
Filter by destination port
tcp.dstport == 23
Filter by ip adress and port
ip.addr == 10.10.50.1 and Tcp.port == 25
Filter by URL
http.host == "host name"
Filter by time stamp
frame.time >= "June 02, 2019 18:04:00"
Filter SYN flag
Tcp.flags.syn == 1 and tcp.flags.ack ==0
Wireshark Beacon Filter
wlan.fc.type_subtype = 0x08
Wireshark broadcast filter
eth.dst == ff:ff:ff:ff:ff:ff
Wireshark multicast filter
(eth.dst[0] & 1)
Host name filter
ip.host = hostname
MAC address filter
eth.addr == 00:70:f4:23:18:c4
RST flag filter
tcp.flag.reset == 1
