liminfo

Wireshark Reference

Free reference guide: Wireshark Reference

39 results

About Wireshark Reference

The Wireshark Filter Reference is a searchable quick-reference covering the filters and commands most commonly used in Wireshark, the industry-standard network protocol analyzer. The reference is organized into six categories: Capture Filters (BPF syntax for host, net, port, protocol, MAC address, and exclusion filters applied before packets are captured), Display Filters (Wireshark-specific syntax for filtering already-captured packets by ip.addr, tcp.port, HTTP methods, TCP flags, frame size, DNS queries, retransmissions, and response codes), Protocols (tcp, udp, http, tls, dns, arp filters), Statistics (Conversations, Protocol Hierarchy, Endpoints, IO Graphs, Flow Graph), Export (HTTP object extraction, packet dissection export, TCP/UDP stream following, filtered packet saving), and tshark (command-line interface for capturing, reading, filtering, field extraction, and statistics).

Wireshark is essential for network troubleshooting, security analysis, and protocol development. Network engineers use capture filters to reduce the volume of traffic saved to disk during long captures, while display filters enable focused analysis of specific conversations, protocols, or error conditions after capture. Security analysts rely on display filters to isolate suspicious DNS queries, detect TCP retransmissions indicating network problems, filter HTTP error responses, and follow complete TCP streams to reconstruct application-layer conversations. The statistics features provide high-level views of traffic patterns, top talkers, and protocol distribution.

This reference also covers tshark, the command-line version of Wireshark, which is essential for headless servers, automated scripting, and processing large capture files. Tshark commands for interface capture (-i), file reading (-r), display filter application (-Y), capture filter application (-f), field extraction (-T fields -e), file writing (-w), and statistics generation (-z) are all included with practical examples. All content runs client-side in your browser with instant search, category filtering, and dark mode support.

Key Features

  • Capture filter reference with BPF syntax: host, net, port, src/dst, protocol, MAC address, and NOT exclusion filters
  • Display filter reference: ip.addr, tcp.port, HTTP methods, TCP flags (SYN/ACK), frame.len, dns.qry.name, retransmissions, response codes
  • Protocol-specific filters for TCP, UDP, HTTP, TLS/SSL, DNS, and ARP with combined filter expressions
  • Statistics menu reference: Conversations, Protocol Hierarchy, Endpoints, IO Graphs, and Flow Graph for traffic analysis
  • Export operations: HTTP object extraction, packet dissection to CSV/JSON/XML, TCP/UDP stream following, filtered packet saving
  • Complete tshark CLI reference: capture (-i), read (-r), display filter (-Y), capture filter (-f), field extraction (-T fields -e), and statistics (-z)
  • Practical examples showing filter combinations for real-world network analysis scenarios
  • Instant search and category filtering across all Wireshark commands with no server processing

Frequently Asked Questions

What is the difference between capture filters and display filters in Wireshark?

Capture filters use BPF (Berkeley Packet Filter) syntax and are applied before packets are captured, reducing the volume of data saved to disk. Examples: host 192.168.1.1, port 80, tcp. Display filters use Wireshark-specific syntax and are applied to already-captured packets for analysis. Examples: ip.addr == 192.168.1.100, tcp.port == 8080, http.request.method == "GET". Capture filters cannot be changed after capture starts, while display filters can be modified at any time during analysis.

How do I filter TCP retransmissions in Wireshark?

Use the display filter tcp.analysis.retransmission to show all TCP packets that Wireshark has identified as retransmissions. This is essential for diagnosing network performance issues. You can combine it with other filters, such as tcp.analysis.retransmission && ip.addr == 10.0.0.1, to see retransmissions for a specific host. Wireshark performs TCP stream analysis automatically and marks retransmitted segments based on sequence number tracking.

How do I follow a TCP stream in Wireshark?

Right-click on any packet that belongs to the TCP connection you want to investigate, then select Follow > TCP Stream. Wireshark will apply a display filter to show only the packets in that conversation and open a window displaying the complete reassembled TCP data. Client data appears in one color and server data in another. This is extremely useful for reconstructing HTTP conversations, examining protocol exchanges, and investigating data exfiltration.

What tshark commands are covered in this reference?

The reference covers the most essential tshark commands: tshark -i for live capture from a network interface, tshark -r for reading pcap files, tshark -Y for applying display filters, tshark -f for capture filters, tshark -T fields -e for extracting specific protocol fields (like ip.src, ip.dst, tcp.port), tshark -w for writing capture output to a file, and tshark -z for generating statistics like conversation summaries and IO statistics.

How do I filter DNS queries for a specific domain?

Use the display filter dns.qry.name contains "example.com" to show all DNS queries containing that domain name. For exact matches, use dns.qry.name == "example.com". To see only DNS responses (not queries), combine with dns.flags.response == 1. To see failed lookups, filter for dns.flags.rcode != 0. These filters are valuable for security analysis to detect DNS tunneling, domain generation algorithms (DGA), or connections to known malicious domains.

How do I extract files transferred over HTTP?

Go to File > Export Objects > HTTP. Wireshark will display a list of all files transferred via HTTP in the capture, including their filenames, hostnames, content types, and sizes. You can save individual files or all files at once. This feature works because Wireshark reassembles TCP streams and parses HTTP content. For HTTPS traffic, you need the TLS session keys to decrypt the traffic first, which can be configured via the TLS protocol preferences.

Can I combine multiple display filters?

Yes. Use && (AND) to require multiple conditions: ip.addr == 192.168.1.1 && tcp.port == 80 shows traffic matching both conditions. Use || (OR) for alternatives: http.response.code == 404 || http.response.code == 500. Use ! or !(expression) for negation: !(ip.addr == 192.168.1.1) excludes a specific IP. Parentheses control precedence: (tcp.port == 80 || tcp.port == 443) && ip.src == 10.0.0.1.

Is any data sent to a server when using this reference?

No. The complete Wireshark filter reference is embedded in the page and rendered entirely client-side. Searching, filtering by category, and browsing all happen within your browser using JavaScript. No packet data, filter expressions, or search queries are transmitted to any server.