Popular Wireshark Filters (by IP, protocol, MAC, etc.)

PowerADM.com / Tools / Popular Wireshark Filters (by IP, protocol, MAC, etc.)

Wireshark is a popular network traffic analysis tool that can be used to diagnose network connections and detect the activity of various programs and protocols. For the convenience of filtering all traffic passing through the network card, you can use Wireshark filters. For novice administrators, applying filters in Wireshark raises a number of questions. In this article, we have collected basic examples of Wireshark filters (by IP address, protocol, port, MAC address, etc.), which will be useful for a quick start.

There are two types of Wireshark filters: display filters and capture filters. In this article, we’ll only focus on display filters that can help you find specific traffic quickly.

Filters are set at the top of the Wireshark window in the Apply a display filter field.

wireshark display filters

A Wireshark filter is a string where you can specify various filtering conditions. You can use the following operators to check conditions:

Operator Value
== equals
!= not equal (except)
> more
< smaller
>= more or equal
<= less than or equal to
contains exact match
matches regex

To combine several conditions (rules), special operators are used:

Text operator Symbolic operator Meaning
and && Logical AND
or || Logical OR
xor ^^ Exclusive OR
not ! Logical NOT
in array search
[…] Subsequence

You can use filters based on traffic direction:

  • filter with .src shows only traffic FROM the specified source value
  • filter with .dst shows traffic TO the specified target value
  • filter with .addr is used to filter traffic in BOTH directions
Filter Meaning
ip.addr ip.src ip.dst ip.host Filter by IPv4
ipv6.addr ipv6.src ipv6.dst Filter by IPv6
tcp tcp.port tcp.dstport tcp.srcport TCP Filters
udp udp.port udp.dstport udp.srcport UDP Filters
arp arp.src arp.dst arp.dst.hw_mac ARP filters
icmp icmpv6 icmp.type ICMP filters
eth eth.addr eth.dst eth.src Ethernet Filters
http http2 http.host http.request http.content_type HTTP protocol
sip rtp rtcp raw_sip iax2 Filters for IP telephony traffic
rdp Remote Desktop Protocol
vnc Virtual Network Computing
l2tp  Layer 2 Tunneling Protocol
ldap  Lightweight Directory Access Protocol
openvpn OpenVPN Protocol
ppp Point-to-Point Protocol
pppoe pppoed pppoes: PPP-over-Ethernet
pptp Point-to-Point Tunneling Protocol
smtp imap pop Mail application protocols
ftp tftp uftp File Transfer Protocol
ssh Secure Shell

Below are the most popular examples of Wireshark filters:

Filters by IP address:

ip.addr ==
!(ip.addr ==
ip.src == && ip.dst ==
ip.addr => && ip.addr <=

DNS name filters:

tcp contains "poweradm.com"
http.host == "blog.google.com"
(looking up the exact value in the HTTP headers)

http.host contains "poweradm.com" (search for content in HTTP headers)

http.host (all packets with the host field in the HTTP header )

Filters by TCP or UDP ports:

tcp.port == 443
tcp.dstport == 80
udp.srcport == 53
tcp.dstport>=8000 && tcp.dstport<=8180

DHCP Filters:

udp.dstport == 67

Filters by MAC address:

eth.src == 00:2a:3b:4e:5c:6d
eth.dst == 00:2a:3b:4e:5c:6d

Content filters:

http.content_type contains "jpeg"
http.content_type contains "image"
http.content_type contains "xml"
http.request.uri contains "rar"

Filters for ICMP:

(ping responses )
icmp.type==3 (destination unreachable message)

HTTP Header Filters:

http.content_type == "text/plain" (by the value of the content-type field )
http.request.method == "POST"
http.request.method == "GET"
http.response.code == 404
(by HTTP response code )
http.response.code != 200 (by HTTP response code )
http.server == "nginx" (by the value of the server field )

Filters for analyzing SIP traffic:

udp.srcport >= 10000 && udp.srcport <= 20000
udp.port == 5060 || tcp.port == 5060

Leave a Reply

Your email address will not be published. Required fields are marked *