Wireshark is a popular network protocol analyzer tool that allows network analysts and troubleshooters to capture, analyze, and dissect network traffic. It is an open-source and cross-platform software that supports a wide range of network protocols and interfaces, making it a versatile tool for network analysis. With Wireshark, users can capture network packets in real-time or from a saved file, apply filters to analyze the captured traffic, and view detailed information about the protocols and data exchanged between network nodes. Wireshark provides numerous features, such as expert information, statistics, and visualization tools, to help network analysts and troubleshooters identify and resolve network issues. Its intuitive user interface, extensive filtering capabilities, and customization options make it a popular choice for network analysis and troubleshooting across industries and organizations. In this article, we will cover various aspects of Wireshark, including its features, filtering capabilities, capture modes, and keyboard shortcuts.

Whether you are a network administrator, a security professional, or just someone curious about how networks work, learning to use Wireshark is a valuable skill. This Wireshark cheat sheet will provide a solid foundation and reference for using Wireshark to monitor and analyze your network traffic.

(Desktop View Recommend)

Default Columns In a Packet Capture Output

When analyzing network traffic with a packet capture tool such as Wireshark, the output typically includes a list of columns that provide important information about each captured packet. Here are the default columns in Wireshark, along with their names and descriptions:

Column NameDescription
No.The packet number in the capture file.
TimeThe time the packet was captured.
SourceThe source IP address of the packet.
DestinationThe destination IP address of the packet.
ProtocolThe protocol used by the packet (e.g., TCP, UDP, ICMP).
LengthThe length of the packet in bytes.
InfoA summary of the packet contents, such as the HTTP request method or response code.

These columns provide essential information that can help you analyze network traffic and troubleshoot network issues. For example, the source and destination columns can help you identify where the traffic is coming from and where it’s going. The protocol column can help you determine which application or service is generating the traffic, while the length column can help you identify unusually large or small packets that may indicate a problem. Finally, the info column can help you quickly identify important packets, such as those containing HTTP requests or responses.

It’s worth noting that you can customize the columns displayed in Wireshark to suit your needs. For example, you can add columns to display additional information such as the TCP sequence number or the DNS query name. To add or remove columns, simply right-click on the column header and select “Column Preferences”. From there, you can select the columns you want to display and adjust their order and width as needed.

Logical Operators

Logical operators are used in various programming languages and tools to combine two or more conditions or expressions to form a single, more complex condition. They are frequently used in network analysis and troubleshooting tools, such as packet capture tools, to filter and search for specific packets or network traffic. Here are the three main logical operators and their descriptions:

OperatorNameDescription
&&ANDEvaluates to true if and only if both conditions are true. For example, in a packet capture filter, the expression ip.src == 192.168.1.1 && tcp.port == 80 would match only packets with a source IP address of 192.168.1.1 AND a TCP destination port of 80.
||OREvaluates to true if either or both conditions are true. For example, in a packet capture filter, the expression `ip.src == 192.168.1.1
!NOTInverts the result of the condition. For example, in a packet capture filter, the expression !tcp.port == 80 would match packets that do NOT have a TCP destination port of 80.

These logical operators can be combined to create more complex conditions that are used to filter and search for specific packets or network traffic. By using these operators effectively, network analysts and troubleshooters can quickly isolate and diagnose network problems.

Filtering Packets (Display Filters)

Packet filtering, also known as display filtering, is the process of selecting specific packets from a captured network traffic for further analysis. Display filters in packet capture tools such as Wireshark provide a way to filter packets based on specific criteria such as protocol, IP address, port number, etc. Here are some common display filters along with their descriptions and examples:

FilterOperatorDescriptionExample
ip.addr==Matches packets where the IP address matches the specified value. This can be used to filter packets based on either the source or destination IP address.ip.addr == 192.168.1.1
tcp.port==Matches packets where the TCP port number matches the specified value. This can be used to filter packets based on either the source or destination port.tcp.port == 80
udp.port==Matches packets where the UDP port number matches the specified value. This can be used to filter packets based on either the source or destination port.udp.port == 53
httpMatches packets where the protocol is HTTP. This can be used to filter HTTP traffic, which can be useful for analyzing web traffic.http
dnsMatches packets where the protocol is DNS. This can be used to filter DNS traffic, which can be useful for analyzing DNS queries and responses.dns
icmpMatches packets where the protocol is ICMP. This can be used to filter ICMP traffic, which can be useful for analyzing ping requests and responses.icmp
frame.number<, >, <=, >=Matches packets with a frame number less than, greater than, less than or equal to, or greater than or equal to the specified value.frame.number < 100
frame.time<, >, <=, >=Matches packets with a frame time less than, greater than, less than or equal to, or greater than or equal to the specified value.frame.time >= "2023-03-10 10:00:00"

By using these filters effectively, network analysts and troubleshooters can quickly isolate and diagnose network problems. These are just a few examples of the many display filters available in packet capture tools such as Wireshark. Understanding these filters and how to use them can greatly improve the efficiency and accuracy of network analysis and troubleshooting.

Filter Types

Packet filtering is a crucial aspect of network analysis and troubleshooting. It allows network analysts to selectively view and analyze network traffic based on specific criteria. Packet capture tools such as Wireshark provide various types of filters for packet filtering. Here are some common types of filters along with their names and descriptions:

Filter TypeNameDescription
Capture FilterBPF (Berkeley Packet Filter)A low-level filter applied to a live capture or when saving a capture file. This filter is written in BPF syntax and is used to capture only the packets of interest.
Display FilterWireshark filterA high-level filter applied to an already captured packet capture file. This filter is written in Wireshark’s display filter syntax and is used to selectively view the packets of interest.
Protocol FilterProtocol filterA filter applied to isolate packets that belong to a specific protocol or protocol family, such as IP, TCP, UDP, DNS, etc.
Time FilterTime-based filterA filter applied to isolate packets that occurred within a specific time range or at a specific time interval.
Endpoint FilterEndpoint filterA filter applied to isolate packets that belong to a specific endpoint, such as a specific IP address or MAC address.
Conversation FilterConversation filterA filter applied to isolate packets that belong to a specific conversation between two endpoints, such as a specific IP address or port.
Expert Info FilterExpert Info filterA filter applied to isolate packets with specific expert info messages generated by Wireshark, such as warnings or errors.

By using these filters effectively, network analysts and troubleshooters can quickly isolate and diagnose network problems. These are just a few examples of the many filter types available in packet capture tools such as Wireshark. Understanding these filters and how to use them can greatly improve the efficiency and accuracy of network analysis and troubleshooting.

Wireshark Capturing Modes

Wireshark, like many other packet capture tools, supports various capturing modes that provide different levels of access and control over the captured traffic. Here are some common Wireshark capturing modes along with their names and descriptions:

Capturing ModeNameDescription
Promiscuous ModePromiscuous ModeCaptures all network traffic seen by the network interface card (NIC), including traffic not intended for the host machine. This mode is useful for capturing all traffic on a network segment or for analyzing switch and router behavior.
Non-Promiscuous ModeNon-Promiscuous ModeCaptures only traffic intended for the host machine, such as traffic addressed to its MAC address. This mode is useful for capturing traffic on a specific machine and can help reduce the amount of captured traffic.
Monitor ModeMonitor ModeCaptures all wireless network traffic on a specific wireless channel. This mode is used for wireless network analysis and troubleshooting.
Remote CaptureRemote CaptureCaptures network traffic on a remote machine using the Wireshark Remote Packet Capture Protocol (RPCAP). This mode is useful for capturing traffic on machines that are not physically accessible or for capturing traffic on remote networks.
File-based CaptureFile-based CaptureCaptures network traffic to a file for later analysis. This mode is useful for capturing large amounts of traffic over a longer period or for capturing traffic on systems with limited resources.

By using these capturing modes effectively, network analysts and troubleshooters can gain better control over the captured traffic and reduce the amount of irrelevant traffic in the capture file. Understanding these modes and how to use them can greatly improve the efficiency and accuracy of network analysis and troubleshooting.

Miscellaneous

Here are some miscellaneous features and capabilities of Wireshark along with their names and descriptions:

FeatureNameDescription
Protocol DecodeProtocol DecodeWireshark can decode and display the contents of a captured packet according to the protocol specification. This feature allows network analysts to view the details of a specific protocol and can help identify protocol-specific issues.
Conversation StatisticsConversation StatisticsWireshark can display conversation statistics between two endpoints, including the number of packets, bytes, and average packet size. This feature is useful for analyzing the performance of specific connections or for identifying potential network issues.
Coloring RulesColoring RulesWireshark can apply color-coded highlighting to packets based on specific criteria, such as protocol or source/destination IP address. This feature allows network analysts to quickly identify relevant packets in a large capture file.
Follow TCP StreamFollow TCP StreamWireshark can reconstruct the contents of a TCP stream and display it in a separate window. This feature is useful for analyzing the contents of a specific connection and can help identify application-layer issues.
Exporting DataExporting DataWireshark can export captured packets to various formats, including CSV, JSON, and XML. This feature allows network analysts to manipulate the captured data in external tools or to share it with others who do not have access to Wireshark.
PluginsPluginsWireshark supports various plugins that can extend its functionality and capabilities. These plugins can be developed by third parties or by the Wireshark community and can be used to enhance specific features or to add new ones.

By using these features and capabilities effectively, network analysts and troubleshooters can gain greater insight into network behavior and diagnose network problems more efficiently. Understanding these features and how to use them can greatly improve the efficiency and accuracy of network analysis and troubleshooting.

Capture Filter Syntax

A capture filter is a filter used to limit the amount of traffic captured by Wireshark when capturing packets in real-time. Here are some common capture filter syntax elements along with their names and descriptions:

Syntax ElementNameDescription
ProtocolProtocolFilters packets based on the protocol type, such as TCP, UDP, or ICMP.
Source/Destination AddressHostFilters packets based on the source or destination IP address.
Port NumberPortFilters packets based on the port number, such as TCP port 80 for HTTP traffic.
Network Address RangeNetFilters packets based on a range of IP addresses, such as 192.168.0.0/24 for all hosts in the 192.168.0.0 subnet.
Logical Operatorsand, or, notUsed to combine multiple filter expressions or to negate a filter expression.
Expression Grouping( )Used to group multiple filter expressions to control the order of evaluation.
PrimitivePrimitiveSpecifies a basic condition to filter packets, such as src or dst for source or destination IP address, respectively.

By using these syntax elements effectively, network analysts and troubleshooters can create capture filters that target specific traffic and reduce the amount of irrelevant traffic captured. Understanding these syntax elements and how to use them can greatly improve the efficiency and accuracy of network analysis and troubleshooting.

Display Filter Syntax

A display filter is a filter used to selectively display packets from a packet capture file. Here are some common display filter syntax elements along with their names and descriptions:

Syntax ElementNameDescription
ProtocolProtocolFilters packets based on the protocol type, such as TCP, UDP, or ICMP.
Source/Destination Addressip.addrFilters packets based on the source or destination IP address.
Port Numbertcp.port, udp.portFilters packets based on the port number, such as tcp.port == 80 for HTTP traffic.
Network Address Rangeip.src, ip.dst, netFilters packets based on a range of IP addresses, such as ip.src == 192.168.0.0/24 for all packets with a source IP address in the 192.168.0.0 subnet.
Timeframe.timeFilters packets based on the time of capture, such as frame.time > “2022-01-01 00:00:00” to display packets captured after a specific date and time.
Logical Operatorsand, or, notUsed to combine multiple filter expressions or to negate a filter expression.
Expression Grouping( )Used to group multiple filter expressions to control the order of evaluation.
Field Comparison==, !=, <, >Used to compare fields within a packet, such as tcp.len > 100 to display packets with a TCP payload length greater than 100 bytes.

By using these syntax elements effectively, network analysts and troubleshooters can create display filters that selectively display packets and highlight relevant information. Understanding these syntax elements and how to use them can greatly improve the efficiency and accuracy of network analysis and troubleshooting.

Keyboard Shortcuts – Main Display Window

Here are some common keyboard shortcuts for the main display window in Wireshark:

ShortcutDescription
Ctrl + EExpand all packets
Ctrl + FOpen the display filter dialog
Ctrl + GFind the next packet matching the current display filter
Ctrl + LOpen the capture filter dialog
Ctrl + RApply or reapply the current display filter
Ctrl + Shift + RClear the current display filter
Ctrl + Shift + TToggle the time display format between absolute and relative
Ctrl + Shift + XExit Wireshark
Ctrl + +Increase the font size
Ctrl + –Decrease the font size
Ctrl + 1-9Toggle the display of specific packet details columns
TabSwitch focus between the packet list and packet details panes
Shift + TabSwitch focus in reverse order
EnterExpand or collapse a packet in the packet list
SpacebarStart or stop packet capture
F1Open the Wireshark help documentation
F3Find the next occurrence of a search term in the packet details pane
F11Toggle full-screen mode

By using these keyboard shortcuts, network analysts and troubleshooters can navigate through packets, filter traffic, and customize the display quickly and efficiently.

Protocols – Values

ether,  fddi,  ip,  arp,  rarp,  decnet,  lat, sca,  moprc,  mopdl,  tcp  and  udp

Common Filtering Commands

Common Filtering Commands

USAGEFILTER SYNTAX
Wireshark Filter by IPip.add == 10.10.50.1
Filter by Destination IPip.dest == 10.10.50.1
Filter by Source IPip.src == 10.10.50.1
Filter by IP rangeip.addr >= 10.10.50.1 and ip.addr <=10.10.50.100
Filter by Multiple Ipsip.addr == 10.10.50.1 and ip.addr == 10.10.50.100
Filter out IP adress! (ip.addr == 10.10.50.1)
Filter subnetip.addr == 10.10.50.1/24
Filter by porttcp.port == 25
Filter by destination porttcp.dstport == 23
Filter by ip adress and portip.addr == 10.10.50.1 and Tcp.port == 25
Filter by URLhttp.host == “host name”
Filter by time stampframe.time >= “June 02, 2019 18:04:00”
Filter SYN flagTcp.flags.syn == 1 and tcp.flags.ack ==0
Wireshark Beacon Filterwlan.fc.type_subtype = 0x08
Wireshark broadcast filtereth.dst == ff:ff:ff:ff:ff:ff
Wireshark multicast filter(eth.dst[0] & 1)
Host name filterip.host = hostname
MAC address filtereth.addr == 00:70:f4:23:18:c4
RST flag filtertcp.flag.reset == 1

Main Toolbar Items

Main toolbar items Screenshot
Main toolbar items
Toolbar IconToolbar ItemMenu ItemDescription
 StartCapture → StartUses the same packet capturing options as the previous session, or uses defaults if no options were set
 StopCapture → StopStops currently active capture
 RestartCapture → RestartRestarts active capture session
 Options…Capture → Options…Opens “Capture Options” dialog box
 Open…File → Open…Opens “File open” dialog box to load a capture for viewing
 Save As…File → Save As…Save current capture file
 CloseFile → CloseClose current capture file
 ReloadView → ReloadReloads current capture file
 Find Packet…Edit → Find Packet…Find packet based on different criteria
 Go BackGo → Go BackJump back in the packet history
 Go ForwardGo → Go ForwardJump forward in the packet history
 Go to Packet…Go → Go to Packet…Go to specific packet
 Go To First PacketGo → First PacketJump to first packet of the capture file
 Go To Last PacketGo → Last PacketJump to last packet of the capture file
 Auto Scroll in Live CaptureView → Auto Scroll in Live CaptureAuto scroll packet list during live capture
 ColorizeView → ColorizeColorize the packet list (or not)
 Zoom InView → Zoom InZoom into the packet data (increase the font size)
Zoom OutView → Zoom OutZoom out of the packet data (decrease the font size)
 Normal SizeView → Normal SizeSet zoom level back to 100%
 Resize ColumnsView → Resize ColumnsResize columns, so the content fits to the width

Others

Here is a summary of some of the other important features of Wireshark that we have not covered yet:

FeatureDescription
Expert infoWireshark’s expert system provides information on various issues and anomalies within captured traffic, such as retransmissions, duplicate packets, and protocol errors.
StatisticsWireshark provides various statistics and graphs for captured traffic, such as protocol hierarchy, conversation statistics, and packet length distribution.
CustomizationWireshark offers a high degree of customization, including the ability to create custom columns, protocols, and dissector plugins.
ExportingWireshark can export captured traffic to various formats, such as plain text, CSV, XML, and pcapng.
Command-line interfaceWireshark can be used through its command-line interface, tshark, which provides similar functionality as the GUI but with greater automation and scripting capabilities.

By utilizing these features, network analysts and troubleshooters can gain deeper insights into network traffic and more effectively troubleshoot issues.

FAQ

  • What is Wireshark used for?

Wireshark is a network protocol analyzer tool used for capturing and analyzing network traffic in real-time or from a saved file.

  • How do I use Wireshark?

You can use Wireshark by selecting the appropriate network interface, starting the capture, and applying filters to analyze the captured traffic. Wireshark also provides various statistics, expert information, and visualization tools to help with analysis.

  • What are display filters in Wireshark?

Display filters are used to filter specific packets from the captured traffic to view only the relevant data. Display filters can be based on a variety of criteria such as IP addresses, protocol types, port numbers, etc.

  • What are capture filters in Wireshark?

Capture filters are used to capture only the relevant network traffic based on specific criteria like IP addresses, port numbers, protocol types, etc.

  • How do I export captured packets in Wireshark?

You can export captured packets in Wireshark by selecting the packets you want to export and using the “Export Packet Dissections” or “Export Specified Packets” options under the “File” menu. You can then select the desired export format, such as plain text, CSV, XML, or pcapng.

  • Can Wireshark capture wireless traffic?

Yes, Wireshark can capture wireless traffic using a wireless network adapter in monitor mode.

  • What is the difference between a display filter and a capture filter in Wireshark?

A display filter is used to filter packets that have already been captured and are displayed in the Wireshark GUI. A capture filter, on the other hand, is used to filter packets during the capture process and only captures the relevant network traffic.

Conclusion

Wireshark is a powerful and widely used network protocol analyzer tool that allows network analysts and troubleshooters to capture, analyze, and dissect network traffic. With its intuitive user interface, extensive filter options, and advanced features like expert info and statistics, Wireshark provides deep insights into network traffic and enables faster and more effective troubleshooting of network issues. Additionally, Wireshark’s customization options, such as custom columns and plugins, make it a flexible tool that can be tailored to specific needs. Overall, Wireshark is an essential tool for anyone involved in network analysis and troubleshooting.

Shares:
  • Avatar kathrynla
    kathrynla
    March 12, 2023 at 6:59 pm

    Greetings! Very useful advice within this article! It’s
    the little changes that produce the most important changes.

    Thanks a lot for sharing!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *