Comment on page

WireShark filters

Filter
Function
ip.addr
Lists packets with IP address of specified value
ip.dst
Lists packets with destination IP address of specified value
ip.src
Lists packets with source address IP of specified value
tcp.port
Lists packets with TCP ports of specified value
udp.port
Lists packets with UDP ports of specified value
http.request
Filters all HTTP GET and POST requests
http.response
Shows the responses to the HTTP requests, including the response codes
dns
Sets a filter to display all packets that contain DNS data
tcp contains
Displays all TCP packets that contain a string matching whatever is defined as
ip.addr == 10.0.0.1
Show any packet with Specific IP (example 10.0.01)
tcp.port==22
how any TCP packet with Specific Port (example port 22)
Class A 
ip.addr == 10.0.0.0/8
​
Class B
ip.addr == 10.10.0.0/16
​
Class C
ip.addr == 10.10.10.0/24
Show packets to and from any address in a subnet
tcp.dstport == 80
Show all protocol traffic (example HTTP port 80)
tcp.port == 80 and ip.addr == 10.0.0.1
Show specific traffic to/from specific IP address (HTTP on  example 10.0.0.1 )
http.request.method == “POST”
Filter for HTTP POST Requests
http.request.method == “GET”
Filter for HTTP GET Requests
http.response.code == 200
Show specific response request (example 200)
frame contains traffic
Show all packets that contain the word ‘traffic’

Filter	Function
`ip.addr`	Lists packets with IP address of specified value
`ip.dst`	Lists packets with destination IP address of specified value
`ip.src`	Lists packets with source address IP of specified value
`tcp.port`	Lists packets with TCP ports of specified value
udp.port	Lists packets with UDP ports of specified value
`http.request`	Filters all HTTP GET and POST requests
`http.response`	Shows the responses to the HTTP requests, including the response codes
`dns`	Sets a filter to display all packets that contain DNS data
`tcp contains`	Displays all TCP packets that contain a string matching whatever is defined as
`ip.addr == 10.0.0.1`	Show any packet with Specific IP (example 10.0.01)
`tcp.port==22`	how any TCP packet with Specific Port (example port 22)
Class A `ip.addr == 10.0.0.0/8` Class B `ip.addr == 10.10.0.0/16` Class C `ip.addr == 10.10.10.0/24`	Show packets to and from any address in a subnet
`tcp.dstport == 80`	Show all protocol traffic (example HTTP port 80)
`tcp.port == 80 and ip.addr == 10.0.0.1`	Show specific traffic to/from specific IP address (HTTP on example 10.0.0.1 )
`http.request.method == “POST”`	Filter for HTTP POST Requests
`http.request.method == “GET”`	Filter for HTTP GET Requests
`http.response.code == 200`	Show specific response request (example 200)
`frame contains traffic`	Show all packets that contain the word ‘traffic’

Field Notes - Previous

SSH & SSL

Next - Field Notes

Defensive Splunk

Last modified 8mo ago