Network troubleshooting and analysis can be a daunting task, but tools like Wireshark make it significantly easier. Wireshark, an open-source network protocol analyzer, allows you to capture and inspect packets in real-time. However, filtering the captured data to find relevant traffic is where its true power lies. This article will walk you through a curated list of useful Wireshark filters to enhance your network analysis skills.
Why Use Filters in Wireshark?
When capturing packets on a busy network, the sheer volume of data can be overwhelming. Filters help you:
- Narrow down traffic to relevant packets.
2. Identify specific network events or anomalies.
3. Speed up analysis and troubleshooting.
Wireshark supports two types of filters:
Capture Filters: Filters applied before starting the capture to limit incoming data.
Display Filters: Filters applied to already captured data for more focused analysis.
Essential Wireshark Filters and Their Use Cases
Here is a categorized list of Wireshark filters, along with examples of their application:
1. IP Address Filters
Captures all traffic where 10.0.0.1 is either the source or destination.
ip.addr == 10.0.0.1Captures all traffic to or from any address in the 10.0.0.0/24 subnet.
ip.addr == 10.0.0.0/24Filters traffic originating from 10.0.0.1 and destined for 10.0.0.2.
ip.src == 10.0.0.1 && ip.dst == 10.0.0.2Excludes all traffic to or from 10.0.0.1.
!(ip.addr == 10.0.0.1)Use Case: Troubleshoot connectivity issues for a specific device or subnet.
2. ICMP Filters
Captures ICMP “destination unreachable” messages.
ICMP is a protocol used for error reporting and operational information exchange in networks.
icmp.type == 3Real-world scenario — Detect routing issues by identifying ICMP “Time Exceeded” messages (icmp.type == 11), which indicate packets that expired in transit.
Use Case: Diagnose routing issues or unreachable hosts.
3. Protocol Filters
Captures all TCP and UDP traffic.
tcp or udpCaptures HTTP or DNS traffic.
http or dnsA useful filter for network administrators to analyze HTTPS traffic to secure websites.
tcp.dstport == 443Use Case: Focus on specific protocols during web traffic analysis.
4. Port-Based Filters
Captures TCP traffic on port 80 (HTTP).
tcp.port == 80Captures traffic originating from source port 80.
tcp.srcport == 80Use Case: Monitor web server activity or diagnose port-specific issues.
5. TCP Flag Filters
Shows TCP packets with the SYN flag set.
The SYN flag is used to initiate a TCP connection, making it essential for connection establishment
tcp.flags.syn == 1Captures packets with both SYN and ACK flags set.
tcp.flags == 0x012Use Case: Analyze the start of TCP connections or detect SYN floods (DoS attacks).
6. HTTP Filters
Captures HTTP GET requests.
http.request.method == "GET"Captures HTTP responses with a 404 error.
http.response.code == 404Captures HTTP traffic for the host “www.abc.com."
http.host == "www.abc.com"Security scenario — Identify SYN Flood attacks by filtering SYN traffic without matching ACK responses.
Use Case: Debug website issues, such as missing pages or hostname mismatches.
7. TLS Filters
Captures all TLS handshake packets.
A TLS handshake is the process where the client and server agree on encryption methods and exchange keys for secure communication.
tls.handshakeIsolates ClientHello packets in TLS handshakes.
tls.handshake.type == 1These filters can help identify SSL/TLS failures, especially when secure traffic fails due to TLS version mismatches.
Use Case: Troubleshoot SSL/TLS connection setups.
8. DHCP and MAC Address Filters
Captures DHCP traffic in the 10.0.0.0/24 subnet.
dhcp and ip.addr == 10.0.0.0/24Captures DHCP traffic for a specific MAC address.
dhcp.hw.mac_addr == 00:11:22:33:44:55Use Case: Verify DHCP leases or troubleshoot client MAC address issues.
9. DNS Filters
Captures DNS responses resolving to “cnn.com.”
dns.resp.name == cnn.comSecurity scenario — Analyze suspicious DNS queries (DNS Tunneling) using the filter.
dns.query.name contains "xyz"Use Case: Monitor DNS resolution for specific domains.
10. Frame Content and Length Filters
Captures packets containing a specific keyword.
This is useful for searching specific data patterns, such as URLs or error messages, within packet frames.
frame contains "keyword"Captures packets larger than 1000 bytes.
frame.len > 1000Use Case: Inspect large packets or search for specific content within frames.
11. Ethernet Filters
Captures traffic involving a specific MAC address.
eth.addr == 00:11:22:33:44:55Captures Ethernet frames with specific byte patterns.
eth[0x47:2] == 01:80Use Case: Diagnose Ethernet-level issues or detect specific hardware traffic.
12. Special Filters
Excludes background traffic from ARP, ICMP, and STP protocols.
ARP (Address Resolution Protocol) is used to map IP addresses to MAC addresses, ICMP (Internet Control Message Protocol) handles error reporting and operational queries, and STP (Spanning Tree Protocol) prevents loops in Ethernet networks
!(arp or icmp or stp)Captures packets with VLAN ID 100.
VLANs (Virtual Local Area Networks) segment network traffic to enhance security and
vlan.id == 100Use Case: Focus on non-broadcast traffic or VLAN-specific data.
Practical Tips for Using Wireshark Filters
- Start Broad, Then Narrow Down: Begin with general filters like ip.addr before refining to more specific ones.
- Combine Filters: Use logical operators (&&, ||, !) to combine filters for more precise results.
- Save Your Filters: If you use certain filters frequently, save them as profiles for quick access.
- Test and Validate: Always test new filters to ensure they capture the intended traffic.
Conclusion
Wireshark’s powerful filtering capabilities can save hours of manual inspection, allowing you to focus on the packets that matter. Whether you’re troubleshooting connectivity issues, monitoring for potential attacks, or analyzing specific protocols, the filters in this guide are invaluable.
For beginners, start with basic filters like http and tcp before moving to more complex ones. Additionally, consider integrating Wireshark with Snort or Zeek for advanced security analysis.
Start practicing these filters in your network environment to sharpen your analysis skills. By mastering filters, you can elevate your troubleshooting capabilities and become a more effective network professional. Happy troubleshooting!
References:
- Wireshark Official Documentation: https://www.wireshark.org/docs/
- Wireshark Filter Manual Page: https://www.wireshark.org/docs/dfref/
- Wireshark Wiki: https://wiki.wireshark.org/
4. Wireshark: The Basics — Wireshark — TryHackMe Walkthrough: https://medium.com/@iritt/wireshark-the-basics-wireshark-tryhackme-walkthrough-81a83079c121
Stay vigilant, stay secure, and remember — mastering the basics of tools like Wireshark is the foundation for uncovering and resolving complex network issues.
