Wireshark is a GUI-based network packet analyser that lets you inspect packet data from a live network as well as from a previously captured file. Although it’s a very powerful tool, a common problem that newbies face is that it displays so much data that it becomes really difficult for them to pinpoint the actual information they are looking for. This is where Wireshark’s display filters help
Note – If you are completely new to Wireshark, it is recommended that you first go through its basic tutorial.
Here is an example of a live capture in Wireshark:
Note that a major part of the GUI is used to display information (like Time, Source, Destination, and more) about all the incoming and outgoing packets. To filter this information as per your requirement, you need to make use of the Filter box present at the top of the window.
1. Filter information based on protocol
To filter results based on a specific protocol, just write its name in the filter box and hit enter. For example, the following screen shot displays information related to the HTTP protocol:
Observe that the Protocol column contains only HTTP entries. If information related to more than one protocol is required, enter the protocol names separated by a double pipe (or a logical OR operator)
||. Here is an example:
http || arp || icmp
2. Filter information based on IP address
To filter results based on source IP, use the
ip.src filter. Here is an example:
ip.dst to filter results based on destination IP address. To display both source and destination packets with a particular IP, use the
ip.addr filter. Here is an example:
Observe that the packets with source or destination IP address as 126.96.36.199 are displayed in the output.
To exclude packets with a specific IP address, use the
!= operator. Here is an example:
3. Filter information based on port
You can also filter the captured traffic based on network ports. For example, to display only those packets that contain TCP source or destination port 80, use the
tcp.port filter. Here is an example:
Similarly, you can use
tcp.dstport to separately filter results based on TCP source and destination ports, respectively.
Wireshark also has the ability to filter results based on TCP flags. For example, to display on those TCP packets that contain SYN flag, use the
tcp.flags.syn filter. Here is an example:
Similarly, you can also filter results based on other flags like ACK, FIN, and more, by using filters like
tcp.flags.fin, and more, respectively.
4. Some other useful filters
Wireshark displays the data contained by a packet (which is currently selected) at the bottom of the window. Sometimes, while debugging a problem, it is required to filter packets based on a particular byte sequence. You can easily do that using Wireshark.
For example, TCP packets containing the 00 00 01 byte sequence can be filtered using the following way:
tcp contains 00:00:01
Moving on, just like you can filter results based on IP addresses (explained earlier), you can also filter results based on MAC addresses, using the
eth.addr filter. For example, to see all the traffic coming in and out of a machine with mac address, say AA:BB:CC:DD:EE:FF, use the following filter command:
eth.addr == AA:BB:CC:DD:EE:FF