Wireshark Review
My Favorite Wireshark Filters


Wireshark is hands down one of the best analysis tools on the planet. It is intuitive, simple to use, and gives the depth needed to find problems in today's network and application environments. Sometimes it can be tough to remember some of the filtering commands though, so here is a list of some of my favorites: 1. !(ip.addr==10.0.0.1) [displays everything except IP traffic to or from 10.0.0.1]


    2. ip.addr==10.0.0.1 && ip.addr==10.0.0.2 [sets a conversation filter between the two defined IP addresses]3. http or dns [sets a filter to display all http and dns]4. tcp.port==4000 [sets a filter for any TCP packet with 4000 as a source or dest port]5. tcp.flags.reset==1 [displays all TCP resets]6. http.request [displays all HTTP GET requests]7. tcp contains traffic [displays all TCP packets that contain the word ‘traffic’. Excellent when searching on a specific string or user ID]8. !(arp or icmp or dns) [masks out arp, icmp, dns, or whatever other protocols may be background noise. Allowing you to focus on the traffic of interest]9. udp contains 2069999999 [sets a filter for the number string, great when trying to locate a specific caller ID in a VoIP capture]10. tcp.analysis.retransmission [displays all retransmissions in the trace. Helps when tracking down slow application performance and packet loss]

Disclosure: I am a real user, and this review is based on my own experience and opinions.

1 Comment

Olawale Michael N.Real UserTOP 20LEADERBOARD

In order to be more intelligent about all the bits/frames/packets/data traversing your network regardless of how small or large the network is, Wireshark is a network analytic tool which provides such an intelligent information in a network.

Wireshark is that intelligent, not only for production environment alone but also aids study about the packet fields that may exist in any type of packet header of data flowing in your network. to view how all the classes of QoS marking in a packet are and can be used to also sniff packets during reconnaissance phase of a network security attack.

Wireshark provides better understanding on how the bits are set for different fields in a packet header.

It is indeed a very good tool which all network administrators need to be familiar with.

16 September 15
Guest
Why do you like it?

Sign Up with Email