Wireshark Cheat Sheet

W ireshar k Cheat S heet
De fault column s in a packe t cap ture output

No. F r a m e n u m b e r f r o m t h e b e g i n i n g o f t h e p a c ke t c a p t u r e
Time Seconds from the first frame
S o u r c e (s r c) Source address, commonly an IP v4, IP v6 or Ethernet address
D e s t i n a t i o n (d s t) Destination adress
Protocol P r o t o c o l u s e d i n t h e E t h e r n e t f r a m e , I P p a c ke t , o r TC s e g m e n t
Length Leng th of the frame in by tes
Log ic al op e rator s
Operator Discription Example
and or && Logical AND All the conditions should match
o r o r || Logical OR Either all or one of the condtions should match
xor or ^ ^ Logical XOR E xclusi ve alterations - onl y one of the t wo

conditions should match not both
not ot ! N o t ( N e g a t i o n) Not equal to

[ n ] [ ... ] Substring operator Filter a specific word or tex t
Filte ring packe t s (Di s p lay Filte r s)

Operator Discription Example
eq or = = Equal i p . d e s t = = 19 2 .16 8 .1.1
ne or != Not equal ip.des t != 19 2 .16 8 .1.1
gt or > Greater than frame.len > 10

it or < less than frame.len < 10
ge or >= Greater than or equal frame.len >= 10
le or <= Less than or equal frame.len <= 10
Filte r t y p e s
Capture filter F i l t e r p a c ke t s d u r i n g c a p t u r e
Display filter H i d e p a c ke t s f r o m a c a p t u r e d i s p l a y
W ire shark Capturing Mo de s Mi s ce llane ou s
Promiscuous S e t s i n t e r f a c e t o c a p t u r e a l l p a c ke t s Slice Operator [ ... ] - Range of values
mode on a net work segment to which it is associated to
Membership Operator {} - In
Monitor Setup the wirless inter face to capture
mode all traffic it can receive (Unix / Linux only) C T R L+ E Star t /Stop Capturing
C apture Filte r S y nt a x
Syntax protocol Direction hosts value Logical operator Expressions
Example tcp src 19 2 .16 8 .1.1 80 and t c p d s t 2 0 2 .16 4 . 3 0 .1
Di s play Filte r S y nt a x
CompariSon Logical
Syntax protocol String 1 String 2 Va l u e Expressions
Operator Operator
Example ht tp dest ip == 19 2 .16 8 .1.1 and tcp por t
Key b oard S hor tcut s - main di sp lay w indow

Accelerator Description Accelerator Description
Move bet ween screen Alt+
Ta b o r M o v e t o t h e n e x t p a c ke t
elements, e.g. from the toolbars or
S h i f t +Ta b i n t h e s e l e c t i o n h i s t o r y.
t o t h e p a c ke t l i s t t o t h e p a c ke t d e t a i l . Optio
M o v e t o t h e n e x t p a c ke t o r d e t a i l i t e m . I n t h e p a c ke t d e t a i l , o p e n s t h e s e l e c t e d t r e e i t e m .
M o v e t o t h e p r e v i o u s p a c ke t o r d e t a i l I n t h e p a c ke t d e t a i l , o p e n s t h e s e l e c t e d
Shif t+
item. tree items and all of its subtrees.
M o v e t o t h e n e x t p a c ke t , e v e n I n t h e p a c ke t d e t a i l , o p e n s a l l t r e e i t e m s .
Ctrl+ or F8 Ctrl+
i f t h e p a c ke t l i s t i s n ' t f o c u s e d .
M o v e t o t h e p r e v i o u s p a c ke t ,
Ct r l + Or F7 Ct r l + I n t h e p a c ke t d e t a i l , c l o s e s a l l t h e t r e e
e v e n i f t h e p a c ke t l i s t i s n ' t f o c u s e d .
M o v e t o t h e n e x t p a c ke t o f t h e
C t r l +. Backspace I n t h e p a c ke t d e t a i l , j u m p s t o t h e p a r e n t n o d e .
c o n v e r s a t i o n ( TC P, U D P o r I P ) .
C t r l +, M o v e t o t h e p r e v i o u s p a c ke t o f Return I n t h e p a c ke t d e t a i l , t o g g l e s t h e s e l e c t e d t r e e i t e m .
t h e c o n v e r s a t i o n ( TC P, U D P o r I P ) . or Enter
Proto col s - Value s

e t h e r, f d d i , i p , a r p , r a r p , d e c n e t , l a t , s c a , m o p r c , m o p d l , t c p a n d u d p
W ires hark Cheat S heet
Common Filte ring command s
Usage Filter syntax
Wireshark Filter by IP i p . a d d = = 10 .10 . 5 0 .1
Filter by Destination IP i p . d e s t = = 10 .10 . 5 0 .1
Filter by Source IP i p . s r c = = 10 .10 . 5 0 .1
Filter by IP range i p . a d d r > = 10 .10 . 5 0 .1 a n d i p . a d d r < =10 .10 . 5 0 .10 0
Filter by Multiple Ips i p . a d d r = = 10 .10 . 5 0 .1 a n d i p . a d d r = = 10 .10 . 5 0 .10 0
Filter out IP adress ! ( i p . a d d r = = 10 .10 . 5 0 .1)
Filter subnet i p . a d d r = = 10 .10 . 5 0 .1/ 2 4
Filter by port tcp.por t == 25
Filter by destination port tcp.ds tpor t == 23
Filter by ip adress and port i p . a d d r = = 10 .10 . 5 0 .1 a n d Tc p . p o r t = = 2 5
Filter by URL ht tp.hos t == "hos t name"
Filter by time stamp f r a m e . t i m e > = " J u n e 0 2 , 2 019 18 : 0 4 : 0 0 "
Tc p .fl a g s . s y n = = 1
Filter S YN flag
Tc p .fl a g s . s y n = = 1 a n d t c p .fl a g s . a c k = = 0
Wireshark Beacon Filter wlan.fc.t ype_ subt ype = 0x08
Wireshark broadcast filter e t h . d s t == ff : ff : ff : ff : ff : ff
Wireshark multicast filter (e t h . d s t [ 0 ] & 1)
Host name filter ip.hos t = hos tname
MAC address filter e t h . a d d r = = 0 0 :7 0 : f4 : 2 3 :18 :c 4
R ST flag filter t c p .fl a g . r e s e t = = 1
Common Filte ring command s

To o l b a r I c o n To o l b a r I t e m Menu Item Description
U s e s t h e s a m e p a c ke t c a p t u r i n g o p t i o n s a s
Capture
Start the previous session,or uses defaults if no
Star t
options were set
Capture Stops currently ac tive capture
Stop
Stop
Restart Capture Restar t ac tive capture session
Restar t
Capture O p e n s " C a p t u r e O p t i o n s " d i a l o g b ox
Options...
Optio...
File O p e n s " F i l e o p e n " d i a l o g b ox
Open...
Open... to load a capture for viewing
File Save current capture file
Save A s. . .
Save A s...
File
Close Close current capture file
Close
File
Reload Reload current capture file
Reload
F i n d P a c ke t . . . E d i t F i n d p a c ke t b a s e d o n d i ff e r e n t c r i t e r i a
F i n d P a c ke t . . .
Go J u m p b a c k i n t h e p a c ke t h i s t o r y
Go back
Go back
Go J u m p f o r w a r d i n t h e p a c ke t h i s t o r y
Go For ward
Go For ward
Go G o t o s p e c i fi c p a c ke t
G o t o P a c ke t . . .
G o t o P a c ke t . . .
Go to First Go J u m p t o fi r s t p a c ke t o f t h e c a p t u r e fi l e
P a c ke t G o t o F i r s t P a c ke t
Go to Last Go J u m p t o l a s t p a c ke t o f t h e c a p t u r e fi l e
P a c ke t G o t o L a s t P a c ke t
Auto Scroll in View Auto Scroll
A u t o s c r o l l p a c ke t l i s t d u r i n g l i v e c a p t u r e
Live Capture in Live Capture
Colorize View C o l o r i z e t h e p a c ke t l i s t (o r n o t )
Colorize
Zoom In View Z o o m i n t o t h e p a c ke t d a t a
Zoom In ( i n c r e a s e t h e f o n t s i z e)
Zoom Out V i e w Z o o m o u t o f t h e p a c ke t d a t a
Zoom Out (d e c r e a s e t h e f o n t s i z e)
View
Normal Size S e t z o o m l e v e l b a c k t o 10 0 %
Normal Size
Resize Columns View Resize columns, so the content fit s the width
Resize Columns
Find more StationX Cheat Sheets here -

https://www.stationx.net/category/cheat-sheets/

Wireshark Cheat Sheet

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Wireshark Cheat Sheet

Uploaded by

Copyright:

Available Formats

W ireshar k Cheat S heet

De fault column s in a packe t cap ture output

o r o r || Logical OR Either all or one of the condtions should match

xor or ^ ^ Logical XOR E xclusi ve alterations - onl y one of the t wo

not ot ! N o t ( N e g a t i o n) Not equal to

Filte ring packe t s (Di s p lay Filte r s)

eq or = = Equal i p . d e s t = = 19 2 .16 8 .1.1

ne or != Not equal ip.des t != 19 2 .16 8 .1.1

gt or > Greater than frame.len > 10

Key b oard S hor tcut s - main di sp lay w indow

Proto col s - Value s

Common Filte ring command s

Find more StationX Cheat Sheets here -

You might also like