Wireshark Cheat Sheet: All the Commands, Filters & Syntax

Wireshark Cheat Sheet

Wireshark is arguably the most popular and powerful tool you can use to capture, analyze and troubleshoot network traffic. The only downside you will face when using a tool as verbose as Wireshark is memorizing all of the commands, flags, filters, and syntax. That’s where we come in.

Whether you are a network administrator, a security professional, or just someone curious about how networks work, learning to use Wireshark is a valuable skill. This Wireshark cheat sheet will provide a solid foundation and reference for using Wireshark to monitor and analyze your network traffic.

Download a pdf copy for your records here, and scroll below to find a list of the ​common commands in Wireshark.

Wireshark Cheat Sheet Search

Search our Wireshark cheat sheet to find the right cheat for the term you're looking for. Simply enter the term in the search bar and you'll receive the matching cheats available.

Default Columns In a Packet Capture Output

NameDescription
No.Frame number from the beginning of the packet capture
TimeSeconds from the first frame
Source (src)Source address, commonly an IPv4, IPv6 or Ethernet address
Destination (dst)Destination address
ProtocolProtocol used in the Ethernet frame, IP packet, or TC segment
LengthLength of the frame in bytes

Logical Operators

OperatorDescriptionExample
and or &&Logical ANDAll the conditions should match 
or or ||Logical OREither all or one of the conditions should match
xor or ^^Logical XORExclusive alterations - only one of the two conditions should match not both 
not or !Not (Negation)Not equal to 
[ n ] [ … ]Substring operatorFilter a specific word or text 

Filtering Packets (Display Filters)

OperatorDescriptionExample
eq or ==Equalip.dest  ==  192.168.1.1
ne or !=Not equalip.dest  !=   192.168.1.1
gt or >Greater thanframe.len   >   10
it or <less thanframe.len  <   10
ge or >=Greater than or equalframe.len  >=   10
le or <=Less than or equalframe.len  <=   10

Filter Types

Name Description
Capture filterFilter packets during capture
Display filterHide packets from a capture display

Wireshark Capturing Modes

NameDescription
Promiscuous modeSets interface to capture all packets on a network segment to which it is associated to
Monitor modeSetup the wireless interface to capture all traffic it can receive (Unix/ Linux only)

Miscellaneous

NameDescription
Slice Operator[ … ] - Range of values
Membership Operator{} - In
CTRL+EStart/Stop Capturing

Capture Filter Syntax

SyntaxProtocolDirectionHostsValueLogical OperatorExpressions
Exampletcpsrc192.168.1.180andtcp dst 202.164.30.1

Display Filter Syntax

SyntaxProtocolString 1String 2Comparison OperatorValueLogical OperatorExpressions
Examplehttpdestip==192.168.1.1andtcp port

Keyboard Shortcuts - Main Display Window

AcceleratorDescriptionAcceleratorDescription
Tab or Shift+TabMove between screen elements, e.g. from the toolbars to the packet list to the packet detail.Alt+→ or Option→Move to the next packet in the selection history.
Move to the next packet or detail item.In the packet detail, opens the selected tree item.
 Move to the previous packet or detail item.Shift+→In the packet detail, opens the selected tree items and all of its subtrees.
Ctrl+ ↓ or F8 Move to the next packet, even if the packet list isn't focused.Ctrl+→In the packet detail, opens all tree items.
Ctrl+ ↑ Or F7Move to the previous packet, even if the packet list isn't focusedCtrl+←In the packet detail, closes all the tree
Ctrl+.Move to the next packet of the conversation (TCP, UDP or IP).BackspaceIn the packet detail, jumps to the parent node.
Ctrl+,Move to the previous packet of the conversation (TCP, UDP or IP).Return or EnterIn the packet detail, toggles the selected tree item.

Protocols - Values

ether,  fddi,  ip,  arp,  rarp,  decnet,  lat, sca,  moprc,  mopdl,  tcp  and  udp

Common Filtering Commands

UsageFilter Syntax
Wireshark Filter by IPip.add == 10.10.50.1
Filter by Destination IPip.dest == 10.10.50.1
Filter by Source IPip.src == 10.10.50.1
Filter by IP rangeip.addr >= 10.10.50.1 and ip.addr <=10.10.50.100
Filter by Multiple Ipsip.addr == 10.10.50.1 and ip.addr == 10.10.50.100
Filter out IP adress! (ip.addr == 10.10.50.1)
Filter subnetip.addr == 10.10.50.1/24
Filter by porttcp.port == 25
Filter by destination porttcp.dstport == 23
Filter by ip adress and portip.addr == 10.10.50.1 and Tcp.port == 25
Filter by URLhttp.host == "host name"
Filter by time stampframe.time >= "June 02, 2019 18:04:00"
Filter SYN flagTcp.flags.syn == 1 and tcp.flags.ack ==0
Wireshark Beacon Filterwlan.fc.type_subtype = 0x08
Wireshark broadcast filtereth.dst == ff:ff:ff:ff:ff:ff
Wireshark multicast filter(eth.dst[0] & 1)
Host name filterip.host = hostname
MAC address filtereth.addr == 00:70:f4:23:18:c4
RST flag filtertcp.flag.reset == 1

Wireshark Command Generator

Say goodbye to the hassle of trying to remember the exact syntax for your Wireshark commands! With our Wireshark Command Generator, you can simply say what you need Wireshark to do, and we will generate the command for you.

Main Toolbar Items

Toolbar IconToolbar ItemMenu ItemDescription 
StartCapture → StartUses the same packet capturing options as the previous session, or uses defaults if no options were set
StopCapture → StopStops currently active capture
RestartCapture → RestartRestart active capture session
Options...Capture → Options…Opens "Capture Options" dialog box
Open...File →open…Opens "File open" dialog box to load a capture for viewing
Save As...File → Save As…Save current capture file
CloseFile →CloseClose current capture file
reloadReloadView → ReloadReload current capture file
find packetFind Packet...Edit →Find Packet…Find packet based on different criteria
go backGo BackGo → Go backJump back in the packet history
go forwardsGo ForwardGo → Go ForwardJump forward in the packet history
go to packetGo to Packet... Go → Go to Packet…Go to specific packet
go to first packetGo to First PacketGo → Go to First PacketJump to first packet of the capture file
go to last packetGo to last PacketGo → Go to last PacketJump to last packet of the capture file
Auto Scroll in Live CaptureView → Auto Scroll in Live CaptureAuto scroll packet list during live capture
colorizeColorizeView → ColorizeColorize the packet list (or not)
zoom inZoom InView → Zoom InZoom into the packet data (increase the font size)
zoom outZoom OutView → Zoom OutZoom out of the packet data (decrease the font size)
normal sizeNormal SizeView → Normal SizeSet zoom level back to 100%
resize columnResize ColumnsView → Resize ColumnsResize columns, so the content fits the width

Conclusion

Wireshark is an incredibly powerful tool for analyzing and troubleshooting network traffic. It provides a wealth of information that can help you identify issues, track down problems, and understand how your network is being used.

We hope that with the knowledge and techniques covered in this Wireshark cheat sheet, you should now be able to confidently capture, filter, and analyze packets with Wireshark. You can also learn to Master Wireshark in Five Days or Start Using Wireshark to Hack Like a Pro with our StationX courses.

Frequently Asked Questions

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • Nathan House

    Nathan House is the founder and CEO of StationX. He has over 25 years of experience in cyber security, where he has advised some of the largest companies in the world. Nathan is the author of the popular "The Complete Cyber Security Course", which has been taken by over half a million students in 195 countries. He is the winner of the AI "Cyber Security Educator of the Year 2020" award and finalist for Influencer of the year 2022.

  • Alishia says:

    Wireshark, is a popular network analysis tool to capture network packets and display them at a granular level, Nathan thanks for sharing this information!

  • Marty says:

    Thanks again Nathan for another chart. Have a good day man….

  • Daniel says:

    Great little cheat sheet, Thank you..

  • neil browne says:

    Your a real mentch. Thanks G.

  • Nidhay Bhatt says:

    Great content again ?

  • Mkhomazi says:

    The Greatest of All Time Thank you for the cheat sheet Sir!

  • James Madison says:

    Excellent revision guide for the newbie and a reference sheet for the initiated. Thank mate

  • Elizabeth says:

    Thanku…finding your course very good..am doing other courses too so im taking it slow ..will print and save thanks.:)

  • kamal douaihy says:

    thank you so much nathan for all your shares

  • >