What is the best way to learn Wireshark?

Like any software, the best way to learn Wireshark is by using it. You can also <a href="https://courses.stationx.net/courses?query=wireshark">see our Wireshark courses available</a> in our member’s section.

Wireshark Cheat Sheet: All the Commands, Filters & Syntax

Q: What are the 2 types of filters used by Wireshark?

1) Capture filters are used to specify which packets should be captured by Wireshark. These are set when the capture begins. You can set various criteria, such as looking for packets from a particular source IP address, using only a particular protocol or packets sent over a specific port. You can also capture all traffic and sort it later. 2) Display filters specify which packets should be displayed in the Wireshark interface. These are applied after the capture is completed. These can help you narrow down what packets you are looking for. Like capture filters, you can use many different criteria, such as displaying only specific ports, IP addresses, or protocols depending on your needs.

Wireshark is arguably the most popular and powerful tool you can use to capture, analyze and troubleshoot network traffic. The only downside you will face when using a tool as verbose as Wireshark is memorizing all of the commands, flags, filters, and syntax. That’s where we come in.

Whether you are a network administrator, a security professional, or just someone curious about how networks work, learning to use Wireshark is a valuable skill. This Wireshark cheat sheet will provide a solid foundation and reference for using Wireshark to monitor and analyze your network traffic.

Download a pdf copy for your records here, and scroll below to find a list of the common commands in Wireshark.

Table Of Contents

Default Columns In a Packet Capture Output
Logical Operators
Filtering Packets (Display Filters)
Filter Types
Wireshark Capturing Modes
Miscellaneous
Capture Filter Syntax
Display Filter Syntax
Keyboard Shortcuts – Main Display Window
Protocols – Values
Common Filtering Commands
Wireshark Command Generator
Main Toolbar Items
Conclusion
Frequently Asked Questions

Default Columns In a Packet Capture Output

Name	Description
No.	Frame number from the beginning of the packet capture
Time	Seconds from the first frame
Source (src)	Source address, commonly an IPv4, IPv6 or Ethernet address
Destination (dst)	Destination address
Protocol	Protocol used in the Ethernet frame, IP packet, or TC segment
Length	Length of the frame in bytes

Logical Operators

Operator	Description	Example
and or &&	Logical AND	All the conditions should match
or or \|\|	Logical OR	Either all or one of the conditions should match
xor or ^^	Logical XOR	Exclusive alterations – only one of the two conditions should match not both
not or !	Not (Negation)	Not equal to
[ n ] [ … ]	Substring operator	Filter a specific word or text

Filtering Packets (Display Filters)

Operator	Description	Example
eq or ==	Equal	ip.dest == 192.168.1.1
ne or !=	Not equal	ip.dest != 192.168.1.1
gt or >	Greater than	frame.len > 10
it or <	less than	frame.len < 10
ge or >=	Greater than or equal	frame.len >= 10
le or <=	Less than or equal	frame.len <= 10

Filter Types

Name	Description
Capture filter	Filter packets during capture
Display filter	Hide packets from a capture display

Wireshark Capturing Modes

Name	Description
Promiscuous mode	Sets interface to capture all packets on a network segment to which it is associated to
Monitor mode	Setup the wireless interface to capture all traffic it can receive (Unix/ Linux only)

Miscellaneous

Name	Description
Slice Operator	[ … ] – Range of values
Membership Operator	{} – In
CTRL+E	Start/Stop Capturing

Capture Filter Syntax

Syntax	Protocol	Direction	Hosts	Value	Logical Operator	Expressions
Example	tcp	src	192.168.1.1	80	and	tcp dst 202.164.30.1

Display Filter Syntax

Syntax	Protocol	String 1	String 2	Comparison Operator	Value	Logical Operator	Expressions
Example	http	dest	ip	==	192.168.1.1	and	tcp port

Keyboard Shortcuts – Main Display Window

Accelerator	Description	Accelerator	Description
Tab or Shift+Tab	Move between screen elements, e.g. from the toolbars to the packet list to the packet detail.	Alt+→ or Option→	Move to the next packet in the selection history.
↓	Move to the next packet or detail item.	→	In the packet detail, opens the selected tree item.
↑	Move to the previous packet or detail item.	Shift+→	In the packet detail, opens the selected tree items and all of its subtrees.
Ctrl+ ↓ or F8	Move to the next packet, even if the packet list isn’t focused.	Ctrl+→	In the packet detail, opens all tree items.
Ctrl+ ↑ Or F7	Move to the previous packet, even if the packet list isn’t focused	Ctrl+←	In the packet detail, closes all the tree
Ctrl+.	Move to the next packet of the conversation (TCP, UDP or IP).	Backspace	In the packet detail, jumps to the parent node.
Ctrl+,	Move to the previous packet of the conversation (TCP, UDP or IP).	Return or Enter	In the packet detail, toggles the selected tree item.

Protocols – Values

ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp and udp

Common Filtering Commands

Usage	Filter Syntax
Wireshark Filter by IP	ip.add == 10.10.50.1
Filter by Destination IP	ip.dest == 10.10.50.1
Filter by Source IP	ip.src == 10.10.50.1
Filter by IP range	ip.addr >= 10.10.50.1 and ip.addr <=10.10.50.100
Filter by Multiple Ips	ip.addr == 10.10.50.1 and ip.addr == 10.10.50.100
Filter out IP adress	! (ip.addr == 10.10.50.1)
Filter subnet	ip.addr == 10.10.50.1/24
Filter by port	tcp.port == 25
Filter by destination port	tcp.dstport == 23
Filter by ip adress and port	ip.addr == 10.10.50.1 and Tcp.port == 25
Filter by URL	http.host == “host name”
Filter by time stamp	frame.time >= “June 02, 2019 18:04:00”
Filter SYN flag	Tcp.flags.syn == 1 and tcp.flags.ack ==0
Wireshark Beacon Filter	wlan.fc.type_subtype = 0x08
Wireshark broadcast filter	eth.dst == ff:ff:ff:ff:ff:ff
Wireshark multicast filter	(eth.dst[0] & 1)
Host name filter	ip.host = hostname
MAC address filter	eth.addr == 00:70:f4:23:18:c4
RST flag filter	tcp.flag.reset == 1

Wireshark Command Generator

Say goodbye to the hassle of trying to remember the exact syntax for your Wireshark commands! With our Wireshark Command Generator, you can simply say what you need Wireshark to do, and we will generate the command for you.

Main Toolbar Items

Toolbar Item	Menu Item	Description
Start	Capture → Start	Uses the same packet capturing options as the previous session, or uses defaults if no options were set
Stop	Capture → Stop	Stops currently active capture
Restart	Capture → Restart	Restart active capture session
Options…	Capture → Options…	Opens “Capture Options” dialog box
Open…	File →open…	Opens “File open” dialog box to load a capture for viewing
Save As…	File → Save As…	Save current capture file
Close	File →Close	Close current capture file
Reload	View → Reload	Reload current capture file
Find Packet…	Edit →Find Packet…	Find packet based on different criteria
Go Back	Go → Go back	Jump back in the packet history
Go Forward	Go → Go Forward	Jump forward in the packet history
Go to Packet…	Go → Go to Packet…	Go to specific packet
Go to First Packet	Go → Go to First Packet	Jump to first packet of the capture file
Go to last Packet	Go → Go to last Packet	Jump to last packet of the capture file
Auto Scroll in Live Capture	View → Auto Scroll in Live Capture	Auto scroll packet list during live capture
Colorize	View → Colorize	Colorize the packet list (or not)
Zoom In	View → Zoom In	Zoom into the packet data (increase the font size)
Zoom Out	View → Zoom Out	Zoom out of the packet data (decrease the font size)
Normal Size	View → Normal Size	Set zoom level back to 100%
Resize Columns	View → Resize Columns	Resize columns, so the content fits the width

Conclusion

Wireshark is an incredibly powerful tool for analyzing and troubleshooting network traffic. It provides a wealth of information that can help you identify issues, track down problems, and understand how your network is being used.

We hope that with the knowledge and techniques covered in this Wireshark cheat sheet, you should now be able to confidently capture, filter, and analyze packets with Wireshark. You can also learn to Master Wireshark in Five Days or Start Using Wireshark to Hack Like a Pro with our VIP courses.

Frequently Asked Questions

What is Wireshark and how do you use it?

Wireshark advertises itself as, “the world’s foremost and widely-used network protocol analyzer.” By running a capture, you can grab traffic on your network and see not only the origin and destination of the packets, but often important information contained within.

Can Wireshark see texts?

Typically no. Wireshark can see unencrypted data on a network where it sits in the middle. To see SMS messages, the messages would need to be sent without any encryption over a network which you control, which is unlikely to be the case.

What should I look for when using Wireshark?

This depends entirely on your intention. If you are using it for security purposes, you would be analyzing traffic looking for anomalies and signs of breaches. This could include large amounts of traffic passing over unusual ports.

If you are using it as a hacker or penetration tester, you would be looking for sensitive information being sent throughout the network, such as login credentials.

As a network administrator or engineer you may be looking for bottlenecks or other issues that are hurting the network’s performance.

What are the 2 types of filters used by Wireshark?

1) Capture filters are used to specify which packets should be captured by Wireshark. These are set when the capture begins. You can set various criteria, such as looking for packets from a particular source IP address, using only a particular protocol or packets sent over a specific port. You can also capture all traffic and sort it later.
2) Display filters specify which packets should be displayed in the Wireshark interface. These are applied after the capture is completed. These can help you narrow down what packets you are looking for. Like capture filters, you can use many different criteria, such as displaying only specific ports, IP addresses, or protocols depending on your needs.

Can Wireshark see incognito?

Yes. Incognito mode doesn’t do anything to hide or encrypt network traffic, it only stops your browser from storing your browsing history for that session. This means that there will be network logs of your browsing and Wireshark will be able to see the connections.

The one caveat to mention is that websites using HTTPS encrypt the traffic to and from the website. This would prevent Wireshark from seeing the specific information sent back and forth from a website (such as login credentials) but will not prevent it from seeing the destination ip address and the associated website visited.

Can you track someone with Wireshark?

Wireshark is a tool that can be used as part of a kit to track someone. It can identify an IP address and, depending on other factors (such as whether encryption is being used), what they are doing within the network.

How do you capture packets in Wireshark?

It’s as simple as selecting the interface you wish to capture on and clicking to start the capture. Wireshark will begin grabbing the traffic and displaying it immediately. You are free to view packets, streams, or apply filters as you go.

What can hackers do with Wireshark?

Wireshark allows you to capture and monitor network traffic. Potentially a hacker can grab passwords and other sensitive information which they can leverage against a target or target network.

What is the best way to learn Wireshark?

Like any software, the best way to learn Wireshark is by using it. You can also see our Wireshark courses available in our member’s section.

How do I read Wireshark logs?

Wire shark as a GUI interface allowing you to see the traffic color coded and displayed sequentially. You can use filters to look for specific information, view the details available in any packet (including source, destination, and possibly content), or view a communication stream between two points.