# Wireshark Query Cheatsheet
### Main Toolbar Items
| **TOOLBAR ICON** | **TOOLBAR ITEM** | **MENU ITEM** | **DESCRIPTION** |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------- | ---------------------------------- | ------------------------------------------------------------------------------------------------------- |
| | **Start** | Capture → Start | Uses the same packet capturing options as the previous session, or uses defaults if no options were set |
| | **Stop** | Capture → Stop | Stops currently active capture |
| | **Restart** | Capture → Restart | Restart active capture session |
| | **Options...** | Capture → Options… | Opens "Capture Options" dialog box |
| | **Open...** | File →open… | Opens "File open" dialog box to load a capture for viewing |
| | **Save As...** | File → Save As… | Save current capture file |
| | **Close** | File →Close | Close current capture file |
| | **Reload** | View → Reload | Reload current capture file |
| | **Find Packet...** | Edit →Find Packet… | Find packet based on different criteria |
| | **Go Back** | Go → Go back | Jump back in the packet history |
| | **Go Forward** | Go → Go Forward | Jump forward in the packet history |
| | **Go to Packet...** | Go → Go to Packet… | Go to specific packet |
| | **Go to First Packet** | Go → Go to First Packet | Jump to first packet of the capture file |
| | **Go to last Packet** | Go → Go to last Packet | Jump to last packet of the capture file |
| | **Auto Scroll in Live Capture** | View → Auto Scroll in Live Capture | Auto scroll packet list during live capture |
| | **Colorize** | View → Colorize | Colorize the packet list (or not) |
| | **Zoom In** | View → Zoom In | Zoom into the packet data (increase the font size) |
| | **Zoom Out** | View → Zoom Out | Zoom out of the packet data (decrease the font size) |
| | **Normal Size** | View → Normal Size | Set zoom level back to 100% |
| | **Resize Columns** | View → Resize Columns | Resize columns, so the content fits the width |
### Default Columns In a Packet Capture Output
| **NAME** | **DESCRIPTION** |
| --------------------- | ------------------------------------------------------------- |
| **No**. | Frame number from the beginning of the packet capture |
| **Time** | Seconds from the first frame |
| **Source (src)** | Source address, commonly an IPv4, IPv6 or Ethernet address |
| **Destination (dst)** | Destination address |
| **Protocol** | Protocol used in the Ethernet frame, IP packet, or TC segment |
| **Length** | Length of the frame in bytes |
### Logical Operators
| **OPERATOR** | **DESCRIPTION** | **EXAMPLE** |
| ----------------- | ------------------ | ---------------------------------------------------------------------------- |
| **and or &&** | Logical AND | All the conditions should match |
| **or or \|\|** | Logical OR | Either all or one of the conditions should match |
| **xor or ^^** | Logical XOR | Exclusive alterations - only one of the two conditions should match not both |
| **not or !** | Not (Negation) | Not equal to |
| **\[ n ] \[ … ]** | Substring operator | Filter a specific word or text |
### Filtering Packets (Display Filters)
| **OPERATOR** | **DESCRIPTION** | **EXAMPLE** |
| ------------ | --------------------- | ------------------------- |
| **eq or ==** | Equal | ip.dest == 192.168.1.1 |
| **ne or !=** | Not equal | ip.dest != 192.168.1.1 |
| **gt or >** | Greater than | frame.len > 10 |
| **it or <** | less than | frame.len < 10 |
| **ge or >=** | Greater than or equal | frame.len >= 10 |
| **le or <=** | Less than or equal | frame.len <= 10 |
### Filter Types
| **NAME** | **DESCRIPTION** |
| ------------------ | ----------------------------------- |
| **Capture filter** | Filter packets during capture |
| **Display filter** | Hide packets from a capture display |
### Wireshark Capturing Modes
| **NAME** | **DESCRIPTION** |
| -------------------- | --------------------------------------------------------------------------------------- |
| **Promiscuous mode** | Sets interface to capture all packets on a network segment to which it is associated to |
| **Monitor mode** | Setup the wireless interface to capture all traffic it can receive (Unix/ Linux only) |
### Miscellaneous
| **NAME** | **DESCRIPTION** |
| ----------------------- | ------------------------ |
| **Slice Operator** | \[ … ] - Range of values |
| **Membership Operator** | {} - In |
| **CTRL+E** | Start/Stop Capturing |
### Capture Filter Syntax
| **SYNTAX** | **PROTOCOL** | **DIRECTION** | **HOSTS** | **VALUE** | **LOGICAL OPERATOR** | **EXPRESSIONS** |
| ---------- | ------------ | ------------- | ----------- | --------- | -------------------- | -------------------- |
| Example | tcp | src | 192.168.1.1 | 80 | and | tcp dst 202.164.30.1 |
### Display Filter Syntax
| **SYNTAX** | **PROTOCOL** | **STRING 1** | **STRING 2** | **COMPARISON OPERATOR** | **VALUE** | **LOGICAL OPERATOR** | **EXPRESSIONS** |
| ---------- | ------------ | ------------ | ------------ | ----------------------- | ----------- | -------------------- | --------------- |
| Example | http | dest | ip | == | 192.168.1.1 | and | tcp port |
### Keyboard Shortcuts - Main Display Window
| **ACCELERATOR** | **DESCRIPTION** | **ACCELERATOR** | **DESCRIPTION** |
| -------------------- | --------------------------------------------------------------------------------------------- | -------------------- | ---------------------------------------------------------------------------- |
| **Tab or Shift+Tab** | Move between screen elements, e.g. from the toolbars to the packet list to the packet detail. | **Alt+→ or Option→** | Move to the next packet in the selection history. |
| **↓** | Move to the next packet or detail item. | **→** | In the packet detail, opens the selected tree item. |
| **↑** | Move to the previous packet or detail item. | **Shift+→** | In the packet detail, opens the selected tree items and all of its subtrees. |
| **Ctrl+ ↓ or F8** | Move to the next packet, even if the packet list isn't focused. | **Ctrl+→** | In the packet detail, opens all tree items. |
| **Ctrl+ ↑ Or F7** | Move to the previous packet, even if the packet list isn't focused | **Ctrl+←** | In the packet detail, closes all the tree |
| **Ctrl+.** | Move to the next packet of the conversation (TCP, UDP or IP). | **Backspace** | In the packet detail, jumps to the parent node. |
| **Ctrl+,** | Move to the previous packet of the conversation (TCP, UDP or IP). | **Return or Enter** | In the packet detail, toggles the selected tree item. |
### Protocols - Values
ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp and udp
### Common Filtering Commands
| **USAGE** | **FILTER SYNTAX** |
| -------------------------------- | ------------------------------------------------- |
| **Wireshark Filter by IP** | ip.add == 10.10.50.1 |
| **Filter by Destination IP** | ip.dest == 10.10.50.1 |
| **Filter by Source IP** | ip.src == 10.10.50.1 |
| **Filter by IP range** | ip.addr >= 10.10.50.1 and ip.addr <=10.10.50.100 |
| **Filter by Multiple Ips** | ip.addr == 10.10.50.1 and ip.addr == 10.10.50.100 |
| **Filter out IP adress** | ! (ip.addr == 10.10.50.1) |
| **Filter subnet** | ip.addr == 10.10.50.1/24 |
| **Filter by port** | tcp.port == 25 |
| **Filter by destination port** | tcp.dstport == 23 |
| **Filter by ip adress and port** | ip.addr == 10.10.50.1 and Tcp.port == 25 |
| **Filter by URL** | http.host == "host name" |
| **Filter by time stamp** | frame.time >= "June 02, 2019 18:04:00" |
| **Filter SYN flag** | Tcp.flags.syn == 1 and tcp.flags.ack ==0 |
| **Wireshark Beacon Filter** | wlan.fc.type\_subtype = 0x08 |
| **Wireshark broadcast filter** | eth.dst == ff:ff:ff:ff:ff:ff |
| **Wireshark multicast filter** | (eth.dst\[0] & 1) |
| **Host name filter** | ip.host = hostname |
| **MAC address filter** | eth.addr == 00:70:f4:23:18:c4 |
| **RST flag filter** | tcp.flag.reset == 1 |
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://notes.anggipradana.com/tutorial-blue-team-area/wireshark-query-cheatsheet.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
| **Start** | Capture → Start | Uses the same packet capturing options as the previous session, or uses defaults if no options were set |
| 
| **Stop** | Capture → Stop | Stops currently active capture |
| 
| **Restart** | Capture → Restart | Restart active capture session |
| 
| **Options...** | Capture → Options… | Opens "Capture Options" dialog box |
| 
| **Open...** | File →open… | Opens "File open" dialog box to load a capture for viewing |
| 
| **Save As...** | File → Save As… | Save current capture file |
| 
| **Close** | File →Close | Close current capture file |
| 
| **Reload** | View → Reload | Reload current capture file |
| 
| **Find Packet...** | Edit →Find Packet… | Find packet based on different criteria |
| 
| **Go Back** | Go → Go back | Jump back in the packet history |
| 
| **Go Forward** | Go → Go Forward | Jump forward in the packet history |
| 
| **Go to Packet...** | Go → Go to Packet… | Go to specific packet |
| 
| **Go to First Packet** | Go → Go to First Packet | Jump to first packet of the capture file |
| 
| **Go to last Packet** | Go → Go to last Packet | Jump to last packet of the capture file |
| 
| **Auto Scroll in Live Capture** | View → Auto Scroll in Live Capture | Auto scroll packet list during live capture |
| 
| **Colorize** | View → Colorize | Colorize the packet list (or not) |
| 
| **Zoom In** | View → Zoom In | Zoom into the packet data (increase the font size) |
| 
| **Zoom Out** | View → Zoom Out | Zoom out of the packet data (decrease the font size) |
| 
| **Normal Size** | View → Normal Size | Set zoom level back to 100% |
| 
| **Resize Columns** | View → Resize Columns | Resize columns, so the content fits the width |
### Default Columns In a Packet Capture Output
| **NAME** | **DESCRIPTION** |
| --------------------- | ------------------------------------------------------------- |
| **No**. | Frame number from the beginning of the packet capture |
| **Time** | Seconds from the first frame |
| **Source (src)** | Source address, commonly an IPv4, IPv6 or Ethernet address |
| **Destination (dst)** | Destination address |
| **Protocol** | Protocol used in the Ethernet frame, IP packet, or TC segment |
| **Length** | Length of the frame in bytes |
### Logical Operators
| **OPERATOR** | **DESCRIPTION** | **EXAMPLE** |
| ----------------- | ------------------ | ---------------------------------------------------------------------------- |
| **and or &&** | Logical AND | All the conditions should match |
| **or or \|\|** | Logical OR | Either all or one of the conditions should match |
| **xor or ^^** | Logical XOR | Exclusive alterations - only one of the two conditions should match not both |
| **not or !** | Not (Negation) | Not equal to |
| **\[ n ] \[ … ]** | Substring operator | Filter a specific word or text |
### Filtering Packets (Display Filters)
| **OPERATOR** | **DESCRIPTION** | **EXAMPLE** |
| ------------ | --------------------- | ------------------------- |
| **eq or ==** | Equal | ip.dest == 192.168.1.1 |
| **ne or !=** | Not equal | ip.dest != 192.168.1.1 |
| **gt or >** | Greater than | frame.len > 10 |
| **it or <** | less than | frame.len < 10 |
| **ge or >=** | Greater than or equal | frame.len >= 10 |
| **le or <=** | Less than or equal | frame.len <= 10 |
### Filter Types
| **NAME** | **DESCRIPTION** |
| ------------------ | ----------------------------------- |
| **Capture filter** | Filter packets during capture |
| **Display filter** | Hide packets from a capture display |
### Wireshark Capturing Modes
| **NAME** | **DESCRIPTION** |
| -------------------- | --------------------------------------------------------------------------------------- |
| **Promiscuous mode** | Sets interface to capture all packets on a network segment to which it is associated to |
| **Monitor mode** | Setup the wireless interface to capture all traffic it can receive (Unix/ Linux only) |
### Miscellaneous
| **NAME** | **DESCRIPTION** |
| ----------------------- | ------------------------ |
| **Slice Operator** | \[ … ] - Range of values |
| **Membership Operator** | {} - In |
| **CTRL+E** | Start/Stop Capturing |
### Capture Filter Syntax
| **SYNTAX** | **PROTOCOL** | **DIRECTION** | **HOSTS** | **VALUE** | **LOGICAL OPERATOR** | **EXPRESSIONS** |
| ---------- | ------------ | ------------- | ----------- | --------- | -------------------- | -------------------- |
| Example | tcp | src | 192.168.1.1 | 80 | and | tcp dst 202.164.30.1 |
### Display Filter Syntax
| **SYNTAX** | **PROTOCOL** | **STRING 1** | **STRING 2** | **COMPARISON OPERATOR** | **VALUE** | **LOGICAL OPERATOR** | **EXPRESSIONS** |
| ---------- | ------------ | ------------ | ------------ | ----------------------- | ----------- | -------------------- | --------------- |
| Example | http | dest | ip | == | 192.168.1.1 | and | tcp port |
### Keyboard Shortcuts - Main Display Window
| **ACCELERATOR** | **DESCRIPTION** | **ACCELERATOR** | **DESCRIPTION** |
| -------------------- | --------------------------------------------------------------------------------------------- | -------------------- | ---------------------------------------------------------------------------- |
| **Tab or Shift+Tab** | Move between screen elements, e.g. from the toolbars to the packet list to the packet detail. | **Alt+→ or Option→** | Move to the next packet in the selection history. |
| **↓** | Move to the next packet or detail item. | **→** | In the packet detail, opens the selected tree item. |
| **↑** | Move to the previous packet or detail item. | **Shift+→** | In the packet detail, opens the selected tree items and all of its subtrees. |
| **Ctrl+ ↓ or F8** | Move to the next packet, even if the packet list isn't focused. | **Ctrl+→** | In the packet detail, opens all tree items. |
| **Ctrl+ ↑ Or F7** | Move to the previous packet, even if the packet list isn't focused | **Ctrl+←** | In the packet detail, closes all the tree |
| **Ctrl+.** | Move to the next packet of the conversation (TCP, UDP or IP). | **Backspace** | In the packet detail, jumps to the parent node. |
| **Ctrl+,** | Move to the previous packet of the conversation (TCP, UDP or IP). | **Return or Enter** | In the packet detail, toggles the selected tree item. |
### Protocols - Values
ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp and udp
### Common Filtering Commands
| **USAGE** | **FILTER SYNTAX** |
| -------------------------------- | ------------------------------------------------- |
| **Wireshark Filter by IP** | ip.add == 10.10.50.1 |
| **Filter by Destination IP** | ip.dest == 10.10.50.1 |
| **Filter by Source IP** | ip.src == 10.10.50.1 |
| **Filter by IP range** | ip.addr >= 10.10.50.1 and ip.addr <=10.10.50.100 |
| **Filter by Multiple Ips** | ip.addr == 10.10.50.1 and ip.addr == 10.10.50.100 |
| **Filter out IP adress** | ! (ip.addr == 10.10.50.1) |
| **Filter subnet** | ip.addr == 10.10.50.1/24 |
| **Filter by port** | tcp.port == 25 |
| **Filter by destination port** | tcp.dstport == 23 |
| **Filter by ip adress and port** | ip.addr == 10.10.50.1 and Tcp.port == 25 |
| **Filter by URL** | http.host == "host name" |
| **Filter by time stamp** | frame.time >= "June 02, 2019 18:04:00" |
| **Filter SYN flag** | Tcp.flags.syn == 1 and tcp.flags.ack ==0 |
| **Wireshark Beacon Filter** | wlan.fc.type\_subtype = 0x08 |
| **Wireshark broadcast filter** | eth.dst == ff:ff:ff:ff:ff:ff |
| **Wireshark multicast filter** | (eth.dst\[0] & 1) |
| **Host name filter** | ip.host = hostname |
| **MAC address filter** | eth.addr == 00:70:f4:23:18:c4 |
| **RST flag filter** | tcp.flag.reset == 1 |
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://notes.anggipradana.com/tutorial-blue-team-area/wireshark-query-cheatsheet.md?ask=