Top N Wireshark Filters

Wireshark is a powerful network analysis tool designed for network professionals. It offers advanced filtering capabilities that allow users to focus on specific areas of interest, making it easier to identify potential issues. The main advantage of these filters is their ability to eliminate irrelevant traffic, helping you concentrate on the data that matters most.

Filter by IP Address

ip.addr == xxx.xxx.xxx.xxx

Sets a filter for any packet that has xxx.xxx.xxx.xxx as the source or destination IP address. This is very useful if, let's say, you want to analyze specific traffic. Applying this filter helps you analyze outgoing traffic to see which one matches the IP or source you're looking for. You can also choose to use ip.dst == xxx.xxx.xxx.xxx to filter only by destination or ip.src == xxx.xxx.xxx.xxx to filter by source. Finaly, to analyze conversations between hosts, use ip.addr == xxx.xxx.xxx.xxx and ip.addr == yyy.yyy.yyy.yyy to see traffic between these two IP addresses.

Port-Based Filters

tcp.port == xxx or udp.port == yyy

Sets filters for any TCP or UDP packet with a specific source or destination port. Sometimes is just useful and less time consuming to look only at the traffic that goes into or out of a specific port.

Filter by MAC Address

eth.addr == xx:xx:xx:xx:xx:xx

For Ethernet-specific filtering, use it to focus on packets involving a particular MAC address.

HTTP GET Requests

http.request.method == "GET"

This one filters all HTTP GET requests. If you want to filter for the other request methods you can replace with the appropriate method such as PUT, POST, DELETE, HEAD, OPTIONS, CONNECT, and TRACE.

Filter Website URL

http.host == "krasoff.com"

This expression requires you put the full url. Leaving off the www will result in not displaying any packets that say www.krasoff.com. My preference is to use http.host contains "krasoff" so that you can return all results that contain krasoff.

Broadcast Filter

eth.dst == ff:ff:ff:ff:ff:ff

Wireshark Multicast Filter

(eth.dst[0] & 1)

This will show multicast and broadcast. Since broadcast is a type of multicast it's a valid expression. If you don’t want any broadcast multicast results you can use (eth.dst[0]&1) && !(eth.dst == ff:ff:ff:ff:ff:ff).

Protocol-Specific Filters

http or dns

For fine-grained analysis, employ protocol-specific filters. Sets a filter to display all http and dns protocols. It lets you narrow down to the exact protocol you need.

Arp Filter

arp

Simply enter arp in the display filter string field.

Dhcp Filter

bootp

Since DHCP is implemented as an option of BOOTP you can filter on bootp.

LDAP Filter

ldap

You could also filter for port 389 since that’s the most common LDAP port.

All rules can be combined:

and, && — logical "AND"
or, || — logical "OR"
xor, ^^ — logical "Exclusive OR"
not, ! — inversion, logical "NOT"