# Wireshark Query Cheatsheet
### Main Toolbar Items
| **TOOLBAR ICON** | **TOOLBAR ITEM** | **MENU ITEM** | **DESCRIPTION** |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------- | ---------------------------------- | ------------------------------------------------------------------------------------------------------- |
| | **Start** | Capture → Start | Uses the same packet capturing options as the previous session, or uses defaults if no options were set |
| | **Stop** | Capture → Stop | Stops currently active capture |
| | **Restart** | Capture → Restart | Restart active capture session |
| | **Options...** | Capture → Options… | Opens "Capture Options" dialog box |
| | **Open...** | File →open… | Opens "File open" dialog box to load a capture for viewing |
| | **Save As...** | File → Save As… | Save current capture file |
| | **Close** | File →Close | Close current capture file |
| | **Reload** | View → Reload | Reload current capture file |
| | **Find Packet...** | Edit →Find Packet… | Find packet based on different criteria |
| | **Go Back** | Go → Go back | Jump back in the packet history |
| | **Go Forward** | Go → Go Forward | Jump forward in the packet history |
| | **Go to Packet...** | Go → Go to Packet… | Go to specific packet |
| | **Go to First Packet** | Go → Go to First Packet | Jump to first packet of the capture file |
| | **Go to last Packet** | Go → Go to last Packet | Jump to last packet of the capture file |
| | **Auto Scroll in Live Capture** | View → Auto Scroll in Live Capture | Auto scroll packet list during live capture |
| | **Colorize** | View → Colorize | Colorize the packet list (or not) |
| | **Zoom In** | View → Zoom In | Zoom into the packet data (increase the font size) |
| | **Zoom Out** | View → Zoom Out | Zoom out of the packet data (decrease the font size) |
| | **Normal Size** | View → Normal Size | Set zoom level back to 100% |
| | **Resize Columns** | View → Resize Columns | Resize columns, so the content fits the width |
### Default Columns In a Packet Capture Output
| **NAME** | **DESCRIPTION** |
| --------------------- | ------------------------------------------------------------- |
| **No**. | Frame number from the beginning of the packet capture |
| **Time** | Seconds from the first frame |
| **Source (src)** | Source address, commonly an IPv4, IPv6 or Ethernet address |
| **Destination (dst)** | Destination address |
| **Protocol** | Protocol used in the Ethernet frame, IP packet, or TC segment |
| **Length** | Length of the frame in bytes |
### Logical Operators
| **OPERATOR** | **DESCRIPTION** | **EXAMPLE** |
| ----------------- | ------------------ | ---------------------------------------------------------------------------- |
| **and or &&** | Logical AND | All the conditions should match |
| **or or \|\|** | Logical OR | Either all or one of the conditions should match |
| **xor or ^^** | Logical XOR | Exclusive alterations - only one of the two conditions should match not both |
| **not or !** | Not (Negation) | Not equal to |
| **\[ n ] \[ … ]** | Substring operator | Filter a specific word or text |
### Filtering Packets (Display Filters)
| **OPERATOR** | **DESCRIPTION** | **EXAMPLE** |
| ------------ | --------------------- | ------------------------- |
| **eq or ==** | Equal | ip.dest == 192.168.1.1 |
| **ne or !=** | Not equal | ip.dest != 192.168.1.1 |
| **gt or >** | Greater than | frame.len > 10 |
| **it or <** | less than | frame.len < 10 |
| **ge or >=** | Greater than or equal | frame.len >= 10 |
| **le or <=** | Less than or equal | frame.len <= 10 |
### Filter Types
| **NAME** | **DESCRIPTION** |
| ------------------ | ----------------------------------- |
| **Capture filter** | Filter packets during capture |
| **Display filter** | Hide packets from a capture display |
### Wireshark Capturing Modes
| **NAME** | **DESCRIPTION** |
| -------------------- | --------------------------------------------------------------------------------------- |
| **Promiscuous mode** | Sets interface to capture all packets on a network segment to which it is associated to |
| **Monitor mode** | Setup the wireless interface to capture all traffic it can receive (Unix/ Linux only) |
### Miscellaneous
| **NAME** | **DESCRIPTION** |
| ----------------------- | ------------------------ |
| **Slice Operator** | \[ … ] - Range of values |
| **Membership Operator** | {} - In |
| **CTRL+E** | Start/Stop Capturing |
### Capture Filter Syntax
| **SYNTAX** | **PROTOCOL** | **DIRECTION** | **HOSTS** | **VALUE** | **LOGICAL OPERATOR** | **EXPRESSIONS** |
| ---------- | ------------ | ------------- | ----------- | --------- | -------------------- | -------------------- |
| Example | tcp | src | 192.168.1.1 | 80 | and | tcp dst 202.164.30.1 |
### Display Filter Syntax
| **SYNTAX** | **PROTOCOL** | **STRING 1** | **STRING 2** | **COMPARISON OPERATOR** | **VALUE** | **LOGICAL OPERATOR** | **EXPRESSIONS** |
| ---------- | ------------ | ------------ | ------------ | ----------------------- | ----------- | -------------------- | --------------- |
| Example | http | dest | ip | == | 192.168.1.1 | and | tcp port |
### Keyboard Shortcuts - Main Display Window
| **ACCELERATOR** | **DESCRIPTION** | **ACCELERATOR** | **DESCRIPTION** |
| -------------------- | --------------------------------------------------------------------------------------------- | -------------------- | ---------------------------------------------------------------------------- |
| **Tab or Shift+Tab** | Move between screen elements, e.g. from the toolbars to the packet list to the packet detail. | **Alt+→ or Option→** | Move to the next packet in the selection history. |
| **↓** | Move to the next packet or detail item. | **→** | In the packet detail, opens the selected tree item. |
| **↑** | Move to the previous packet or detail item. | **Shift+→** | In the packet detail, opens the selected tree items and all of its subtrees. |
| **Ctrl+ ↓ or F8** | Move to the next packet, even if the packet list isn't focused. | **Ctrl+→** | In the packet detail, opens all tree items. |
| **Ctrl+ ↑ Or F7** | Move to the previous packet, even if the packet list isn't focused | **Ctrl+←** | In the packet detail, closes all the tree |
| **Ctrl+.** | Move to the next packet of the conversation (TCP, UDP or IP). | **Backspace** | In the packet detail, jumps to the parent node. |
| **Ctrl+,** | Move to the previous packet of the conversation (TCP, UDP or IP). | **Return or Enter** | In the packet detail, toggles the selected tree item. |
### Protocols - Values
ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp and udp
### Common Filtering Commands
| **USAGE** | **FILTER SYNTAX** |
| -------------------------------- | ------------------------------------------------- |
| **Wireshark Filter by IP** | ip.add == 10.10.50.1 |
| **Filter by Destination IP** | ip.dest == 10.10.50.1 |
| **Filter by Source IP** | ip.src == 10.10.50.1 |
| **Filter by IP range** | ip.addr >= 10.10.50.1 and ip.addr <=10.10.50.100 |
| **Filter by Multiple Ips** | ip.addr == 10.10.50.1 and ip.addr == 10.10.50.100 |
| **Filter out IP adress** | ! (ip.addr == 10.10.50.1) |
| **Filter subnet** | ip.addr == 10.10.50.1/24 |
| **Filter by port** | tcp.port == 25 |
| **Filter by destination port** | tcp.dstport == 23 |
| **Filter by ip adress and port** | ip.addr == 10.10.50.1 and Tcp.port == 25 |
| **Filter by URL** | http.host == "host name" |
| **Filter by time stamp** | frame.time >= "June 02, 2019 18:04:00" |
| **Filter SYN flag** | Tcp.flags.syn == 1 and tcp.flags.ack ==0 |
| **Wireshark Beacon Filter** | wlan.fc.type\_subtype = 0x08 |
| **Wireshark broadcast filter** | eth.dst == ff:ff:ff:ff:ff:ff |
| **Wireshark multicast filter** | (eth.dst\[0] & 1) |
| **Host name filter** | ip.host = hostname |
| **MAC address filter** | eth.addr == 00:70:f4:23:18:c4 |
| **RST flag filter** | tcp.flag.reset == 1 |
| **Start** | Capture → Start | Uses the same packet capturing options as the previous session, or uses defaults if no options were set |
| 
| **Stop** | Capture → Stop | Stops currently active capture |
| 
| **Restart** | Capture → Restart | Restart active capture session |
| 
| **Options...** | Capture → Options… | Opens "Capture Options" dialog box |
| 
| **Open...** | File →open… | Opens "File open" dialog box to load a capture for viewing |
| 
| **Save As...** | File → Save As… | Save current capture file |
| 
| **Close** | File →Close | Close current capture file |
| 
| **Reload** | View → Reload | Reload current capture file |
| 
| **Find Packet...** | Edit →Find Packet… | Find packet based on different criteria |
| 
| **Go Back** | Go → Go back | Jump back in the packet history |
| 
| **Go Forward** | Go → Go Forward | Jump forward in the packet history |
| 
| **Go to Packet...** | Go → Go to Packet… | Go to specific packet |
| 
| **Go to First Packet** | Go → Go to First Packet | Jump to first packet of the capture file |
| 
| **Go to last Packet** | Go → Go to last Packet | Jump to last packet of the capture file |
| 
| **Auto Scroll in Live Capture** | View → Auto Scroll in Live Capture | Auto scroll packet list during live capture |
| 
| **Colorize** | View → Colorize | Colorize the packet list (or not) |
| 
| **Zoom In** | View → Zoom In | Zoom into the packet data (increase the font size) |
| 
| **Zoom Out** | View → Zoom Out | Zoom out of the packet data (decrease the font size) |
| 
| **Normal Size** | View → Normal Size | Set zoom level back to 100% |
| 
| **Resize Columns** | View → Resize Columns | Resize columns, so the content fits the width |
### Default Columns In a Packet Capture Output
| **NAME** | **DESCRIPTION** |
| --------------------- | ------------------------------------------------------------- |
| **No**. | Frame number from the beginning of the packet capture |
| **Time** | Seconds from the first frame |
| **Source (src)** | Source address, commonly an IPv4, IPv6 or Ethernet address |
| **Destination (dst)** | Destination address |
| **Protocol** | Protocol used in the Ethernet frame, IP packet, or TC segment |
| **Length** | Length of the frame in bytes |
### Logical Operators
| **OPERATOR** | **DESCRIPTION** | **EXAMPLE** |
| ----------------- | ------------------ | ---------------------------------------------------------------------------- |
| **and or &&** | Logical AND | All the conditions should match |
| **or or \|\|** | Logical OR | Either all or one of the conditions should match |
| **xor or ^^** | Logical XOR | Exclusive alterations - only one of the two conditions should match not both |
| **not or !** | Not (Negation) | Not equal to |
| **\[ n ] \[ … ]** | Substring operator | Filter a specific word or text |
### Filtering Packets (Display Filters)
| **OPERATOR** | **DESCRIPTION** | **EXAMPLE** |
| ------------ | --------------------- | ------------------------- |
| **eq or ==** | Equal | ip.dest == 192.168.1.1 |
| **ne or !=** | Not equal | ip.dest != 192.168.1.1 |
| **gt or >** | Greater than | frame.len > 10 |
| **it or <** | less than | frame.len < 10 |
| **ge or >=** | Greater than or equal | frame.len >= 10 |
| **le or <=** | Less than or equal | frame.len <= 10 |
### Filter Types
| **NAME** | **DESCRIPTION** |
| ------------------ | ----------------------------------- |
| **Capture filter** | Filter packets during capture |
| **Display filter** | Hide packets from a capture display |
### Wireshark Capturing Modes
| **NAME** | **DESCRIPTION** |
| -------------------- | --------------------------------------------------------------------------------------- |
| **Promiscuous mode** | Sets interface to capture all packets on a network segment to which it is associated to |
| **Monitor mode** | Setup the wireless interface to capture all traffic it can receive (Unix/ Linux only) |
### Miscellaneous
| **NAME** | **DESCRIPTION** |
| ----------------------- | ------------------------ |
| **Slice Operator** | \[ … ] - Range of values |
| **Membership Operator** | {} - In |
| **CTRL+E** | Start/Stop Capturing |
### Capture Filter Syntax
| **SYNTAX** | **PROTOCOL** | **DIRECTION** | **HOSTS** | **VALUE** | **LOGICAL OPERATOR** | **EXPRESSIONS** |
| ---------- | ------------ | ------------- | ----------- | --------- | -------------------- | -------------------- |
| Example | tcp | src | 192.168.1.1 | 80 | and | tcp dst 202.164.30.1 |
### Display Filter Syntax
| **SYNTAX** | **PROTOCOL** | **STRING 1** | **STRING 2** | **COMPARISON OPERATOR** | **VALUE** | **LOGICAL OPERATOR** | **EXPRESSIONS** |
| ---------- | ------------ | ------------ | ------------ | ----------------------- | ----------- | -------------------- | --------------- |
| Example | http | dest | ip | == | 192.168.1.1 | and | tcp port |
### Keyboard Shortcuts - Main Display Window
| **ACCELERATOR** | **DESCRIPTION** | **ACCELERATOR** | **DESCRIPTION** |
| -------------------- | --------------------------------------------------------------------------------------------- | -------------------- | ---------------------------------------------------------------------------- |
| **Tab or Shift+Tab** | Move between screen elements, e.g. from the toolbars to the packet list to the packet detail. | **Alt+→ or Option→** | Move to the next packet in the selection history. |
| **↓** | Move to the next packet or detail item. | **→** | In the packet detail, opens the selected tree item. |
| **↑** | Move to the previous packet or detail item. | **Shift+→** | In the packet detail, opens the selected tree items and all of its subtrees. |
| **Ctrl+ ↓ or F8** | Move to the next packet, even if the packet list isn't focused. | **Ctrl+→** | In the packet detail, opens all tree items. |
| **Ctrl+ ↑ Or F7** | Move to the previous packet, even if the packet list isn't focused | **Ctrl+←** | In the packet detail, closes all the tree |
| **Ctrl+.** | Move to the next packet of the conversation (TCP, UDP or IP). | **Backspace** | In the packet detail, jumps to the parent node. |
| **Ctrl+,** | Move to the previous packet of the conversation (TCP, UDP or IP). | **Return or Enter** | In the packet detail, toggles the selected tree item. |
### Protocols - Values
ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp and udp
### Common Filtering Commands
| **USAGE** | **FILTER SYNTAX** |
| -------------------------------- | ------------------------------------------------- |
| **Wireshark Filter by IP** | ip.add == 10.10.50.1 |
| **Filter by Destination IP** | ip.dest == 10.10.50.1 |
| **Filter by Source IP** | ip.src == 10.10.50.1 |
| **Filter by IP range** | ip.addr >= 10.10.50.1 and ip.addr <=10.10.50.100 |
| **Filter by Multiple Ips** | ip.addr == 10.10.50.1 and ip.addr == 10.10.50.100 |
| **Filter out IP adress** | ! (ip.addr == 10.10.50.1) |
| **Filter subnet** | ip.addr == 10.10.50.1/24 |
| **Filter by port** | tcp.port == 25 |
| **Filter by destination port** | tcp.dstport == 23 |
| **Filter by ip adress and port** | ip.addr == 10.10.50.1 and Tcp.port == 25 |
| **Filter by URL** | http.host == "host name" |
| **Filter by time stamp** | frame.time >= "June 02, 2019 18:04:00" |
| **Filter SYN flag** | Tcp.flags.syn == 1 and tcp.flags.ack ==0 |
| **Wireshark Beacon Filter** | wlan.fc.type\_subtype = 0x08 |
| **Wireshark broadcast filter** | eth.dst == ff:ff:ff:ff:ff:ff |
| **Wireshark multicast filter** | (eth.dst\[0] & 1) |
| **Host name filter** | ip.host = hostname |
| **MAC address filter** | eth.addr == 00:70:f4:23:18:c4 |
| **RST flag filter** | tcp.flag.reset == 1 |