Wireshark is a popular network traffic analysis tool that can be used to diagnose network connections and detect the activity of various programs and protocols. For the convenience of filtering all traffic passing through the network card, you can use Wireshark filters. For novice administrators, applying filters in Wireshark raises a number of questions. In this article, we have collected basic examples of Wireshark filters (by IP address, protocol, port, MAC address, etc.), which will be useful for a quick start.
There are two types of Wireshark filters: display filters and capture filters. In this article, we’ll only focus on display filters that can help you find specific traffic quickly.
Filters are set at the top of the Wireshark window in the Apply a display filter field.
A Wireshark filter is a string where you can specify various filtering conditions. You can use the following operators to check conditions:
| Operator | Value |
| == | equals |
| != | not equal (except) |
| > | more |
| < | smaller |
| >= | more or equal |
| <= | less than or equal to |
| contains | exact match |
| matches | regex |
To combine several conditions (rules), special operators are used:
| Text operator | Symbolic operator | Meaning |
| and | && | Logical AND |
| or | || | Logical OR |
| xor | ^^ | Exclusive OR |
| not | ! | Logical NOT |
| in | array search | |
| […] | Subsequence |
You can use filters based on traffic direction:
- filter with .src shows only traffic FROM the specified source value
- filter with .dst shows traffic TO the specified target value
- filter with .addr is used to filter traffic in BOTH directions
| Filter | Meaning |
| ip.addr ip.src ip.dst ip.host | Filter by IPv4 |
| ipv6.addr ipv6.src ipv6.dst | Filter by IPv6 |
| tcp tcp.port tcp.dstport tcp.srcport | TCP Filters |
| udp udp.port udp.dstport udp.srcport | UDP Filters |
| arp arp.src arp.dst arp.dst.hw_mac | ARP filters |
| icmp icmpv6 icmp.type | ICMP filters |
| eth eth.addr eth.dst eth.src | Ethernet Filters |
| http http2 http.host http.request http.content_type | HTTP protocol |
| sip rtp rtcp raw_sip iax2 | Filters for IP telephony traffic |
| rdp | Remote Desktop Protocol |
| vnc | Virtual Network Computing |
| l2tp | Layer 2 Tunneling Protocol |
| ldap | Lightweight Directory Access Protocol |
| openvpn | OpenVPN Protocol |
| ppp | Point-to-Point Protocol |
| pppoe pppoed pppoes: | PPP-over-Ethernet |
| pptp | Point-to-Point Tunneling Protocol |
| smtp imap pop | Mail application protocols |
| ftp tftp uftp | File Transfer Protocol |
| ssh | Secure Shell |
Below are the most popular examples of Wireshark filters:
Filters by IP address:
ip.addr == 192.168.30.0/24
!(ip.addr == 192.168.30.1)
ip.src == 192.168.11.22 && ip.dst == 192.168.22.11
ip.addr => 172.16.10.10 && ip.addr <= 172.16.10.50
DNS name filters:
tcp contains "poweradm.com" (looking up the exact value in the HTTP headers)
http.host == "blog.google.com"
http.host contains "poweradm.com" (search for content in HTTP headers)
http.host (all packets with the host field in the HTTP header )
Filters by TCP or UDP ports:
tcp.port == 443
tcp.dstport == 80
udp.srcport == 53
tcp.dstport>=8000 && tcp.dstport<=8180
DHCP Filters:
udp.dstport == 67
bootp.option.dhcp
Filters by MAC address:
eth.src == 00:2a:3b:4e:5c:6d
eth.dst == 00:2a:3b:4e:5c:6d
Content filters:
http.content_type contains "jpeg"
http.content_type contains "image"
http.content_type contains "xml"
http.request.uri contains "rar"
Filters for ICMP:
icmp(ping responses )
icmp.type==0
icmp.type==3 (destination unreachable message)
HTTP Header Filters:
http.content_type == "text/plain" (by the value of the content-type field )
http.request.method == "POST" (by HTTP response code )
http.request.method == "GET"
http.response.code == 404
http.response.code != 200 (by HTTP response code )
http.server == "nginx" (by the value of the server field )
Filters for analyzing SIP traffic:
sip
rtp
rtcp
rtpevent
udp.srcport >= 10000 && udp.srcport <= 20000
udp.port == 5060 || tcp.port == 5060