Wireshark Cheat Sheet

To supplement the courses in our Cyber Security School, here is a list of the ​common commands in Wireshark. 

You may download the PDF version of this cheat sheet here.

Default Columns In a Packet Capture Output

NameDescription
No.Frame number from the beginning of the packet capture
TimeSeconds from the first frame
Source (src)Source address, commonly an IPv4, IPv6 or Ethernet address
Destination (dst)Destination address
ProtocolProtocol used in the Ethernet frame, IP packet, or TC segment
LengthLength of the frame in bytes

Logical Operators

OperatorDescriptionExample
and or &&Logical ANDAll the conditions should match 
or or ||Logical OREither all or one of the conditions should match
xor or ^^Logical XORExclusive alterations – only one of the two conditions should match not both 
not or !Not (Negation)Not equal to 
[ n ] [ … ]Substring operatorFilter a specific word or text 

Filtering Packets (Display Filters)

OperatorDescriptionExample
eq or ==Equalip.dest  ==  192.168.1.1
ne or !=Not equalip.dest  !=   192.168.1.1
gt or >Greater thanframe.len   >   10
it or <less thanframe.len  <   10
ge or >=Greater than or equalframe.len  >=   10
le or <=Less than or equalframe.len  <=   10

Filter Types

Name Description
Capture filterFilter packets during capture
Display filterHide packets from a capture display

Wireshark Capturing Modes

NameDescription
Promiscuous modeSets interface to capture all packets on a network segment to which it is associated to
Monitor modeSetup the wireless interface to capture all traffic it can receive (Unix/ Linux only)

Miscellaneous

NameDescription
Slice Operator[ … ] – Range of values
Membership Operator{} – In
CTRL+EStart/Stop Capturing

Capture Filter Syntax

SyntaxProtocolDirectionHostsValueLogical OperatorExpressions
Exampletcpsrc192.168.1.180andtcp dst 202.164.30.1

Display Filter Syntax

SyntaxProtocolString 1String 2Comparison OperatorValueLogical OperatorExpressions
Examplehttpdestip==192.168.1.1andtcp port

Keyboard Shortcuts – Main Display Window

AcceleratorDescriptionAcceleratorDescription
Tab or Shift+TabMove between screen elements, e.g. from the toolbars to the packet list to the packet detail.Alt+→ or Option→Move to the next packet in the selection history.
Move to the next packet or detail item.In the packet detail, opens the selected tree item.
 Move to the previous packet or detail item.Shift+→In the packet detail, opens the selected tree items and all of its subtrees.
Ctrl+ ↓ or F8 Move to the next packet, even if the packet list isn’t focused.Ctrl+→In the packet detail, opens all tree items.
Ctrl+ ↑ Or F7Move to the previous packet, even if the packet list isn’t focusedCtrl+←In the packet detail, closes all the tree
Ctrl+.Move to the next packet of the conversation (TCP, UDP or IP).BackspaceIn the packet detail, jumps to the parent node.
Ctrl+,Move to the previous packet of the conversation (TCP, UDP or IP).Return or EnterIn the packet detail, toggles the selected tree item.

Protocols – Values

ether,  fddi,  ip,  arp,  rarp,  decnet,  lat, sca,  moprc,  mopdl,  tcp  and  udp

Common Filtering Commands

UsageFilter Syntax
Wireshark Filter by IPip.add == 10.10.50.1
Filter by Destination IPip.dest == 10.10.50.1
Filter by Source IPip.src == 10.10.50.1
Filter by IP rangeip.addr >= 10.10.50.1 and ip.addr <=10.10.50.100
Filter by Multiple Ipsip.addr == 10.10.50.1 and ip.addr == 10.10.50.100
Filter out IP adress! (ip.addr == 10.10.50.1)
Filter subnetip.addr == 10.10.50.1/24
Filter by porttcp.port == 25
Filter by destination porttcp.dstport == 23
Filter by ip adress and portip.addr == 10.10.50.1 and Tcp.port == 25
Filter by URLhttp.host == “host name”
Filter by time stampframe.time >= “June 02, 2019 18:04:00”
Filter SYN flagTcp.flags.syn == 1 and tcp.flags.ack ==0
Wireshark Beacon Filterwlan.fc.type_subtype = 0x08
Wireshark broadcast filtereth.dst == ff:ff:ff:ff:ff:ff
Wireshark multicast filter(eth.dst[0] & 1)
Host name filterip.host = hostname
MAC address filtereth.addr == 00:70:f4:23:18:c4
RST flag filtertcp.flag.reset == 1

Main Toolbar Items

Toolbar IconToolbar ItemMenu ItemDescription 
StartCapture → StartUses the same packet capturing options as the previous session, or uses defaults if no options were set
StopCapture → StopStops currently active capture
RestartCapture → RestartRestart active capture session
Options…Capture → Options…Opens “Capture Options” dialog box
Open…File →open…Opens “File open” dialog box to load a capture for viewing
Save As…File → Save As…Save current capture file
CloseFile →CloseClose current capture file
ReloadView → ReloadReload current capture file
Find Packet…Edit →Find Packet…Find packet based on different criteria
Go BackGo → Go backJump back in the packet history
Go ForwardGo → Go ForwardJump forward in the packet history
Go to Packet… Go → Go to Packet…Go to specific packet
Go to First PacketGo → Go to First PacketJump to first packet of the capture file
Go to last PacketGo → Go to last PacketJump to last packet of the capture file
Auto Scroll in Live CaptureView → Auto Scroll in Live CaptureAuto scroll packet list during live capture
ColorizeView → ColorizeColorize the packet list (or not)
Zoom InView → Zoom InZoom into the packet data (increase the font size)
Zoom OutView → Zoom OutZoom out of the packet data (decrease the font size)
Normal SizeView → Normal SizeSet zoom level back to 100%
Resize ColumnsView → Resize ColumnsResize columns, so the content fits the width
  • Alishia says:

    Wireshark, is a popular network analysis tool to capture network packets and display them at a granular level, Nathan thanks for sharing this information!

  • Marty says:

    Thanks again Nathan for another chart. Have a good day man….

  • Daniel says:

    Great little cheat sheet, Thank you..

  • neil browne says:

    Your a real mentch. Thanks G.

  • Nidhay Bhatt says:

    Great content again ?

  • Mkhomazi says:

    The Greatest of All Time Thank you for the cheat sheet Sir!

  • James Madison says:

    Excellent revision guide for the newbie and a reference sheet for the initiated. Thank mate

  • Elizabeth says:

    Thanku…finding your course very good..am doing other courses too so im taking it slow ..will print and save thanks.:)

  • kamal douaihy says:

    thank you so much nathan for all your shares

  • >