Wireshark Filter Commands Reference

Overview

Wireshark is a network protocol analyzer that captures and decodes packets from network interfacees. It provides detailed protocol analysis, powerful filtering capabilities, and comprehensive statistics. The interface consists of several key components:

Menu and Toolbar: File operations, editing, viewing, capture controls, and analysis functions
Capture Options: Interface selection, capture parameters, ring buffer configuration
Packet List: Timestamps, source/destination addresses, protocol, length for each packet
Packet Details: Decoded protocol information organized by OSI layers
Packet Bytes: Hex and ASCII view of raw packet data
Display Filter Input: Syntax-aware filter entry with autocomplete

Filter Types

Wireshark implements two distinct filtering mechanisms:

Display Filters operate post-capture on already-stored packets. They provide rich field-based syntax without affecting the capture process itself.

Capture Filters apply during packet acquisition using BPF (Berkeley Packet Filter) syntax. They reduce captured data volume proactively.

Display Filter Syntax

Display filters folloow a consistent pattern: field.operator value

Supported operators include:

Operator	Description
`==`	Equals
`!=`	Not equal
`>`	Greater than
`<`	Less than
`>=`	Greater than or equal
`<=`	Less than or equal

IP Address Filtering

ip.src == 10.0.0.50

Filter packets from a specific source address.

ip.dst == 10.0.0.100

Filter packets destined to a specific address.

ip.addr == 10.0.0.75

Matches either source or destination address.

Port Filtering

tcp.srcport == 8080

tcp.dstport == 443

tcp.port == 80

Matches source or destination port.

Protocol Filtering

http
tcp
dns

Simple protocol name matching.

Negation

!icmp

Excludes matching packets from display.

HTTP Traffic Filtering

Basic HTTP Filtering

http

Host-Based Filtering

http.host contains "example"

Request URI Filtering

http.request.uri contains "/api/v1"

Method Filtering

http.request.method == "GET"

http.request.method == "POST"

Status Code Filtering

http.response.code == 200

Header Field Filtering

http.request.header.User-Agent matches ".*Chrome.*"

DNS Traffic Filtering

dns

dns.qry.name == "google.com"

dns.qry.type == 1

A record queries (type 1). Use type 5 for CNAME, type 15 for MX, type 28 for AAAA.

dns.flags.rcode == 0

No error response. Non-zero values indicate failure conditions.

dns.a == 8.8.8.8

Responses containing a specific IPv4 address.

TCP Session Filtering

tcp

Port-Based TCP Filtering

tcp.srcport == 22
tcp.dstport == 3306

Flag Bit Filtering

tcp.flags.syn == 1

SYN packets only.

tcp.flags.ack == 1

Acknowledgment packets.

tcp.flags.reset == 1

Connection reset packets.

Stream Identification

tcp.stream eq 5

Isolates a specific TCP conversation by stream index.

UDP Session Filtering

udp

udp.port == 53
udp.srcport == 123
udp.dstport == 67

udp.stream eq 2

ICMP Packet Filtering

icmp

Type-Based Filtering

icmp.type == 8

Echo request (ping).

icmp.type == 0

Echo reply.

icmp.type == 3

Destination unreachable.

icmp.type == 11

Time exceeded.

Code-Based Filtering

icmp.code == 0

Often used alongside type to specify precise conditions.

Advanced Display Filter Techniques

Boolean Combinations

ip.src == 192.168.1.10 && tcp.dstport == 443

AND logic: both conditions must match.

ip.addr == 192.168.1.50 || udp.port == 53

OR logic: either condition matches.

(ip.src == 10.0.0.1 && tcp.dstport == 80) || (ip.src == 10.0.0.2 && tcp.dstport == 443)

Nested boolean expressions with parentheses.

Range Filtering

frame.len >= 64 && frame.len <= 1500

Packet size range filtering.

Regular Expression Matching

http.request.uri matches ".*\\/users/.*"

http.host matches "^api\\..*"

Regex patterns use PCRE syntax.

Field Existence Checks

ip.options
tcp.options

Packets containing specific protocol options.

Bitwise Operations

tcp.flags & 0x02 != 0

Matches packets where SYN flag bit (0x02) is set.

tcp.flags & 0x10 != 0

Matches packets where ACK flag (0x10) is set.

tcp.flags & 0x01 != 0

FIN flag set.

frame[10:2] == 0x0800

Matches specific bytes at offset using slice notation.

Capture Filter Syntax

Capture filters use BPF syntax, distinct from display filters. They are applied before packet storage.

Host Filtering

host 10.0.0.50

src host 10.0.0.50

dst host 10.0.0.100

Port Filtering

port 80

src port 8080

dst port 443

Protocol Filtering

tcp
udp
icmp

Network Filtering

net 192.168.10.0/24

Entire subnet capture.

src net 10.0.0.0/8

Source network.

Negation

not host 10.0.0.25

not port 22

not arp

Capturing Specific Traffic

HTTP Capture

tcp port 80

TCP port 80 captures HTTP and HTTPS handshake packets.

tcp port 80 and host api.example.com

Host-specific HTTP traffic.

DNS Capture

udp port 53

udp port 53 and host dns.example.com

TCP Capture Variants

tcp
src port 80
dst port 443

tcp[tcpflags] & tcp-syn != 0

SYN-only packets.

UDP Capture Variants

udp
src port 53
dst port 123

ICMP Capture Variants

icmp

icmp[icmptype] == icmp-echo

icmp[icmpcode] == 0

Advanced Capture Filter Techniques

Compound Conditions

src host 192.168.1.10 and dst port 443

net 10.0.0.0/8 and not src host 10.0.0.1

Excludes specific host from network capture.

(tcp port 80 or tcp port 443) and not host ads.example.com

Excludes advertisement domains.

Complex Boolean Logic

(src host 10.0.0.1 and dst port 80) or (src host 10.0.0.2 and dst port 443)

host server1.example.com and (tcp[tcpflags] & tcp-syn != 0)

Connection initiation to specific host.

Protocol-Specific Byte Matching

tcp[0:4] == 0x47455420

Matches packets starting with "GET " (hex: 47 45 54 20).

ip[2:2] == 0x4500

IPv4 packets with no options (0x4500 = version 4, IHL 5).

Filter Optimization Strategies

Use capture filters for high-volume links: Pre-filtering at capture time reduces storage requirements.

Display filters for exploratory analysis: Post-capture filtering provides flexibility without data loss.

Indexed fields perform better: Prefer ip.addr over ip.src or ip.dst combined, as the indexed version evaluates once.

Complex expressions impact performance: Break complex boolean expressions into separate passes when analyzing large captures.

Protocol-specific fields require protocol detection: Fields like tcp.flags only exist after protocol identification; use broader protocol filters first.

Common Filter Patterns

Slow connection diagnosis:

tcp.analysis.retransmission || tcp.analysis.duplicate-ack

DNS resolution failures:

dns.flags.rcode != 0

HTTP errors:

http.response.code >= 400

Suspicious network activity:

!(tcp.port == 80 || tcp.port == 443) && frame.len > 1000

IPv6 traffic isolation:

ipv6

TLS/SSL handshake inspection:

ssl.record.content_type == 22

Tags: wireshark packet capture display filters capture filters BPF syntax

Posted on Thu, 07 May 2026 08:21:57 +0000 by wellscam

Freaks City

Wireshark Filter Commands Reference

Overview

Filter Types

Display Filter Syntax

IP Address Filtering

Port Filtering

Protocol Filtering

Negation

HTTP Traffic Filtering

Basic HTTP Filtering

Host-Based Filtering

Request URI Filtering

Method Filtering

Status Code Filtering

Header Field Filtering

DNS Traffic Filtering

TCP Session Filtering

Port-Based TCP Filtering

Flag Bit Filtering

Stream Identification

UDP Session Filtering

ICMP Packet Filtering

Type-Based Filtering

Code-Based Filtering

Advanced Display Filter Techniques

Boolean Combinations

Range Filtering

Regular Expression Matching

Field Existence Checks

Bitwise Operations

Capture Filter Syntax

Host Filtering

Port Filtering

Protocol Filtering

Network Filtering

Negation

Capturing Specific Traffic

HTTP Capture

DNS Capture

TCP Capture Variants

UDP Capture Variants

ICMP Capture Variants

Advanced Capture Filter Techniques

Compound Conditions

Complex Boolean Logic

Protocol-Specific Byte Matching

Filter Optimization Strategies

Common Filter Patterns

Hot Tags