Wireshark - most common type of filtering

Filter by IP address: displays all traffic from IP, be it source or destination

ip.addr == 192.168.1.1

Filter by source address: display traffic only from IP source

ip.src == 192.168.0.1

Filter by destination: display traffic only form IP destination

ip.dst == 192.168.0.1

Filter by IP subnet: display traffic from subnet, be it source or destination

ip.addr = 192.168.0.1/24

Filter by protocol: filter traffic by protocol name

dns

http

ftp

arp

ssh

telnet

icmp

Exclude IP address: remove traffic from and to IP address

!ip.addr ==192.168.0.1

Display traffic between two specific subnet

ip.addr == 192.168.0.1/24 and ip.addr == 192.168.1.1/24

Display traffic between two specific workstations

ip.addr == 192.168.0.1 and ip.addr == 192.168.0.2

Filter by MAC

eth.addr = 00:50:7f:c5:b6:78

Filter TCP port

tcp.port == 80

Filter TCP port source

tcp.srcport == 80

Filter TCP port destination

tcp.dstport == 80

Find user agents

http.user_agent contains Firefox

!http.user_agent contains || !http.user_agent contains Chrome

Filter broadcast traffic

!(arp or icmp or dns)

Filter IP address and port

tcp.port == 80 && ip.addr == 192.168.0.1

Filter all http get requests

http.request

Filter all http get requests and responses

http.request or http.response

Filter three way handshake

tcp.flags.syn==1 or (tcp.seq==1 and tcp.ack==1 and tcp.len==0 and

tcp.analysis.initial_rtt)

Find files by type

frame contains “(attachment|tar|exe|zip|pdf)”

Find traffic based on keyword

tcp contains facebook

frame contains facebook

Detecting SYN Floods

tcp.flags.syn == 1 and tcp.flags.ack == 0