Wireshark is one of the most powerful tools for network analysis, troubleshooting, and security monitoring. However, dealing with a massive volume of captured packets can be overwhelming. This is where Wireshark display filters come in handy.
In this guide, we cover the top Wireshark filters, from basic to advanced, to help you quickly isolate relevant network traffic.
Wireshark Filters by Category
To make it easier to find relevant filters, we have categorized them into sections based on their use case.
Basic Filters
| Filter | Description |
|---|---|
ip | Displays all IP-based traffic |
tcp | Filters only TCP packets |
udp | Filters only UDP packets |
icmp | Filters ICMP (ping) traffic |
eth.addr == XX:XX:XX:XX:XX:XX | Filters packets with a specific MAC address |
ip.addr == X.X.X.X | Shows packets involving a specific IP address |
ip.src == X.X.X.X | Displays packets originating from a specific source IP |
ip.dst == X.X.X.X | Shows packets sent to a specific destination IP |
tcp.port == XX | Filters TCP traffic on a specific port |
udp.port == XX | Filters UDP traffic on a specific port |
Security & Malware Analysis
| Filter | Description |
http contains "password" | Finds plaintext passwords in HTTP traffic |
tls.handshake.type == 1 | Detects TLS Client Hello packets (useful for MITM detection) |
ip.geoip.country == "China" | Filters traffic from a specific country |
dns and dns.qry.name contains "malicious.com" | Finds suspicious DNS queries |
tcp.flags.reset == 1 | Shows TCP reset (RST) packets, often used in attacks |
smb | Filters SMB (Server Message Block) protocol traffic |
frame contains "User-Agent" | Searches for unusual user-agents in HTTP traffic |
http.request.method == "POST" | Displays HTTP POST requests (useful for detecting data exfiltration) |
Wireless & Wi-Fi Filters
| Filter | Description |
wlan | Displays all Wi-Fi traffic |
wlan.ssid == "WiFi_Name" | Filters packets for a specific Wi-Fi SSID |
wlan.bssid == XX:XX:XX:XX:XX:XX | Filters packets from a specific AP (BSSID) |
wlan.fc.type_subtype == 0x04 | Captures probe requests from clients scanning for networks |
wlan.fc.type_subtype == 0x08 | Captures only beacon frames |
wlan_mgt.tag.number == 221 | Filters frames with vendor-specific information |
wlan.fc.retry == 1 | Shows retransmitted frames, useful for debugging connectivity issues |
VoIP & Streaming Filters
| Filter | Description |
rtp | Displays Real-time Transport Protocol (RTP) traffic |
sip | Filters Session Initiation Protocol (SIP) traffic |
rtsp | Shows Real Time Streaming Protocol (RTSP) traffic |
h323 | Filters H.323 VoIP traffic |
sdp | Displays only Session Description Protocol (SDP) messages |
mgcp | Filters Media Gateway Control Protocol traffic |
Advanced TCP Filters
| Filter | Description |
tcp.analysis.flags | Finds TCP errors and retransmissions |
tcp.analysis.retransmission | Detects TCP retransmissions |
tcp.analysis.lost_segment | Finds missing TCP segments |
tcp.flags.syn == 1 | Captures packets with TCP SYN flag (connection initiation) |
tcp.flags.fin == 1 | Captures packets with TCP FIN flag (connection termination) |
tcp.window_size < 1000 | Identifies small TCP window sizes (performance issue) |
tcp.options.mss < 500 | Detects abnormally small Maximum Segment Size (MSS) values |
tcp.port == 443 | Shows only HTTPS traffic |
DNS & DHCP Filters
| Filter | Description |
dns | Displays only DNS traffic |
dns.qry.name contains "example.com" | Filters DNS queries for a specific domain |
dns.flags.response == 1 | Shows only DNS responses |
dhcp | Displays only DHCP traffic |
bootp.option.dhcp == 1 | Filters DHCP packets specifically |
dhcp.option.dhcp_message_type == 1 | Shows only DHCP Discover messages |
dhcp.option.dhcp_message_type == 2 | Shows only DHCP Offer messages |
Wireshark filters make it easier to analyze large packet captures, troubleshoot network issues, and detect security threats. Whether you’re a beginner or an experienced network professional, mastering these filters will boost your efficiency.
What’s Next?
Which Wireshark filters do you use most often? Share in the comments!
Check out our Advanced Wireshark Guide: Network Forensics & Threat Detection for more in-depth network analysis tips!