My Favorite Wireshark Filters
Wireshark is hands down one of the best analysis tools on the planet. It is intuitive, simple to use, and gives the depth needed to find problems in today's network and application environments. Sometimes it can be tough to remember some of the filtering commands though, so here is a list of some of my favorites: 1. !(ip.addr==10.0.0.1) [displays everything except IP traffic to or from 10.0.0.1]
2. ip.addr==10.0.0.1 && ip.addr==10.0.0.2 [sets a conversation filter between the two defined IP addresses]3. http or dns [sets a filter to display all http and dns]4. tcp.port==4000 [sets a filter for any TCP packet with 4000 as a source or dest port]5. tcp.flags.reset==1 [displays all TCP resets]6. http.request [displays all HTTP GET requests]7. tcp contains traffic [displays all TCP packets that contain the word ‘traffic’. Excellent when searching on a specific string or user ID]8. !(arp or icmp or dns) [masks out arp, icmp, dns, or whatever other protocols may be background noise. Allowing you to focus on the traffic of interest]9. udp contains 2069999999 [sets a filter for the number string, great when trying to locate a specific caller ID in a VoIP capture]10. tcp.analysis.retransmission [displays all retransmissions in the trace. Helps when tracking down slow application performance and packet loss]
**Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Nov 18 2013
More Wireshark reviews from users
Find out what your peers are saying about Wireshark, Colasoft, Viavi Solutions and others in Network Troubleshooting. Updated: December 2020.
454,950 professionals have used our research since 2012.