How To Filter By Port With Wireshark

Wireshark represents the world’s most used protocol analyzer. By using it, you

can check everything that’s going on within your network, troubleshoot

different problems, analyze and filter your network traffic using various tools,

etc.

If you want to learn more about Wireshark and how to filter by port, make sure

you keep reading.

What Exactly Is Port Filtering?

Port filtering represents a way of filtering packets (messages from different

network protocols) based on their port number. These port numbers are used

for TCP and UDP protocols, the best-known protocols for transmission. Port

filtering represents a form of protection for your computer since, by port

filtering, you can choose to allow or block certain ports to prevent different

operations within the network.

There is a well-established system of ports used for different internet services,

such as file transfer, e-mail, etc. In fact, there are over 65,000 different ports.

They exist in “allow” or “closed” mode. Some applications on the internet can

open these ports, thus making your computer more exposed to hackers and

viruses.
By using Wireshark, you can filter different packets based on their port

number. Why would you want to do this? Because in that way, you can filter

out all the packets you don’t want in your computer for different reasons.

What Are the Important Ports?

There are 65,535 ports. They can be divided into three different categories:

ports from 0 – 1023 are well-known ports, and they are assigned to common

services and protocols. Then, from 1024 to 49151 are registered ports – they

are assigned by ICANN to a specific service. And public ports are ports from

49152-65535, they can be used by any service. Different ports are used for

different protocols.

If you want to learn about the most common ones, check out the following list:

Port Service name Protocol

number

20, 21 File transfer protocol – FTP TCP

22 Secure shell – SSH TCP and

UDP

23 Telnet TCP

25 Simple Mail Transfer Protocol TCP

53 Domain Name System – DNS TCP and

UDP

67/68 Dynamic Host Configuration Protocol – DHCP UDP

80 HyperText Transfer Protocol – HTTP TCP

110 Post Office Protocol – POP3 TCP

123 Network Time Protocol – NTP UDP

143 Internet Message Access Protocol (IMAP4) TCP and

UDP

161/162 Simple Network Management Protocol –SNMP TCP and

UDP

443 HTTP with Secure Sockets Layer – HTTPS (HTTP TCP

over SSL/TLS)

Analysis in Wireshark
The process of analysis in Wireshark represents monitoring of different

protocols and data inside a network.

Before we start with the process of analysis, make sure you know the type of

traffic you are looking to analyze, and various types of devices that emit traffic:

1. Do you have promiscuous mode supported? If you do, this will allow

your device to collect packets that are not originally intended for your

device.

2. What devices do you have inside your network? It’s important to keep in

mind that different kinds of devices will transmit different packets.

3. What type of traffic do you want to analyze? The type of traffic will

depend on the devices within your network.

Knowing how to use different filters is extremely important for capturing the

intended packets. These filters are used before the process of packet

capturing. How do they work? By setting a specific filter, you immediately

remove the traffic that does not meet the given criteria.
Within Wireshark, a syntax called Berkley Packet Filter (BPF) syntax is used

for creating different capture filters. Since this is the syntax that is most

commonly used in packet analysis, it’s important to understand how it works.

The Berkley Packet Filter syntax captures filters based on different filtering

expressions. These expressions consist of one or several primitives, and

primitives consist of an identifier (values or names that you’re trying to find

within different packets), followed by one or several qualifiers.

Qualifiers can be divided into three different kinds:

1. Type – with these qualifiers, you specify what kind of thing the identifier

represents. Type qualifiers include port, net, and host.

2. Dir (direction) – these qualifiers are used in order to specify a transfer

direction. In that way, “src” marks the source, and “dst” marks the

destination.

3. Proto (protocol) – with protocol qualifiers, you can specify the specific

protocol you would like to capture.

You can use a combination of different qualifiers in order to filter out your

search. Also, you can use operators: for example, you can use the

concatenation operator (&/and), negation operator (!/not), etc.

Here are some examples of capture filters you can use in Wireshark:

Filters Description

host 192.168.1.2 All traffic associated with 192.168.1.2

tcp port 22 All traffic associated with port 22

src 192.168.1.2 All traffic originating from 192.168.1.2

It is possible to create capture filters in the protocol header fields. The syntax

looks like this: proto[offset:size(optional)]=value. Here, proto represents the

protocol you want to filter, offset represents the position of the value in the

header of the packet, the size represents the length of the data, and value is

the data you’re looking for.

Display Filters in Wireshark

Unlike capture filters, display filters don’t discard any packets, they simply hide

them while viewing. This is a good option since once you discard packets, you

won’t be able to recover them.

Display filters are used to check for the presence of a certain protocol. For

example, if you would like to display packets that contain a particular protocol,

you can type the name of the protocol in Wireshark’s “Display filter” toolbar.
Other Options
There are various other options you can use to analyze packets in Wireshark,

depending on your needs.

1. Under the “Statistics” window in Wireshark, you can find different basic

tools you can use to analyze packets. For example, you can use the

“Conversations” tool to analyze the traffic between two different IP

 addresses.

2. Under the “Expert Infos” window, you can analyze the anomalies or

uncommon behavior within your network.

Filtering by Port in Wireshark

Filtering by port in Wireshark is easy thanks to the filter bar that allows you to

apply a display filter.

For example, if you want to filter port 80, type this into the filter bar:

“tcp.port == 80.” What you can also do is type “eq” instead of “==”, since

“eq” refers to “equal.”

You can also filter multiple ports at once. The || signs are used in this case.

For example, if you want to filter ports 80 and 443, type this into the filter bar:

“tcp.port == 80 || tcp.port == 443”, or “tcp.port eq 80 ||

tcp.port eq 443.”

Additional FAQs
How Do I Filter Wireshark by IP Address and Port?
There are several ways in which you can filter Wireshark by IP address:

1. If you’re interested in a packet with a particular IP address, type this into the

filter bar: “ip.adr == x.x.x.x.”

2. If you’re interested in packets coming from a particular IP address, type this

into the filter bar: “ip.src == x.x.x.x.”

3. If you’re interested in packets going to a particular IP address, type this into

the filter bar: “ip.dst == x.x.x.x.”

If you want to apply two filters, such as IP address and port number, check out

the next example: “ip.adr == 192.168.1.199.&&tcp.port eq 443.”

Since “&&” represent symbols for “and”, by writing this, you are able to filter

your search by IP address (192.168.1.199) and by port number (tcp.port eq

443).
How Does Wireshark Capture Port Traffic?
Wireshark captures all the network traffic as it happens. It will capture all the

port traffic and show you all the port numbers in the specific connections.

If you would like to start the capture, follow these steps:

1. Open “Wireshark.”
2. Tap “Capture.”

3. Select “Interfaces.”
4. Tap “Start.”
If you want to focus on a specific port number, you can use the filter bar.

When you want to stop the capture, press ‘’Ctrl + E.’’

What Is the Capture Filter for a DHCP Option?

Dynamic Host Configuration Protocol (DHCP) option represents a kind of

network management protocol. It is used for automatically assigning IP

addresses to devices that are connected to the network. By using a DHCP

option, you don’t have to manually configure various devices.

If you want to see only the DHCP packets in Wireshark, type “bootp” in the

filter bar. Why bootp? Because it represents the older version of DHCP, and

they both use the same port numbers – 67 & 68.

Why Should I Use Wireshark?

Using Wireshark has numerous advantages, some of which are:

1. It’s free – you can analyze your network traffic completely free!

2. It can be used for different platforms – you can use Wireshark on Windows,

Linux, Mac, Solaris, etc.

3. It’s detailed – Wireshark offers a deep analysis of numerous protocols.

4. It offers live data – this data can be gathered from various sources such as

Ethernet, Token Ring, FDDI, Bluetooth, USB, etc.

5. It’s widely used – Wireshark is the most popular network protocol analyzer.

Wireshark Doesn’t Bite!

Now you’ve learned more about Wireshark, its abilities, and filtering options. If

you want to be sure that you can troubleshoot and identify any type of network

issues or inspect the data coming in and out of your network, thus keeping it

secure, you should definitely try Wireshark.

Have you ever used Wireshark? Tell us about it in the comment section below.