👑 Wireshark Filter King

Click to add filters. Click again to copy. Even a caveman could do it.

🔨 Your Filter (click filters below to build)

Click filters below to start building...

🌐 IP Addresses

ip.src == X Source IP equals X
ip.dst == X Destination IP equals X
ip.addr == X Either source OR dest is X
ip.src == X/24 Source is in subnet (e.g., 192.168.1.*)

📡 Protocols

tcp All TCP traffic
udp All UDP traffic
icmp Ping / ICMP traffic
arp ARP (who has this IP?)
dns DNS lookups
http HTTP traffic (unencrypted web)
tls TLS/SSL (encrypted)
ssh SSH connections
ftp FTP file transfers
dhcp DHCP (IP assignment)

🚪 Ports

tcp.port == 80 HTTP (port 80)
tcp.port == 443 HTTPS (port 443)
tcp.port == 22 SSH (port 22)
tcp.port == 3389 RDP (Windows Remote Desktop)
udp.port == 53 DNS (port 53)
tcp.dstport == 445 SMB (file sharing)

🌍 HTTP/Web

http.request HTTP requests only
http.response HTTP responses only
http...method == "GET" GET requests
http...method == "POST" POST requests (forms, uploads)
http.host contains "X" Requests to hosts containing X
http.response.code == 200 Successful responses (200 OK)
http.response.code >= 400 Error responses (4xx, 5xx)

🚦 TCP Flags & States

tcp.flags.syn == 1 SYN packets (new connections)
SYN && !ACK Initial SYN only (connection starts)
tcp.flags.fin == 1 FIN packets (connection closing)
tcp.flags.reset == 1 RST packets (connection reset)
tcp.analysis.retransmission Retransmitted packets (problems!)
tcp.analysis.duplicate_ack Duplicate ACKs (packet loss indicator)
tcp.analysis.zero_window Zero window (receiver overwhelmed)

🔍 DNS

dns.qry.name contains "X" DNS queries for domains with X
dns.flags.response == 1 DNS responses only
dns.flags.response == 0 DNS queries only
dns.flags.rcode != 0 Failed DNS lookups
dns.qry.type == 1 A records (IPv4)
dns.qry.type == 28 AAAA records (IPv6)

🔧 Troubleshooting

tcp.analysis.flags All TCP problems flagged by Wireshark
tcp.time_delta > 1 Slow responses (>1 second gap)
frame.time_delta > 0.5 Long gaps between packets
icmp.type == 3 ICMP Destination Unreachable
icmp.type == 11 ICMP Time Exceeded (traceroute)

🛡️ Security

tcp.port == 4444 Metasploit default port
tcp.flags == 0x029 Xmas scan (FIN+PSH+URG)
tcp.flags == 0x000 Null scan (no flags)
http.request.uri contains ".." Path traversal attempts
http.user_agent contains "sqlmap" SQL injection tool
tcp.dstport == 23 Telnet (unencrypted! bad!)

🎯 Copy-Paste Combos (Real World)

ip.addr == 192.168.1.100 && tcp.port == 443 All HTTPS traffic to/from specific host
SYN && !ACK to internal network New connections to internal IPs (scan detection)
dns.qry.name contains "malware" || "evil" DNS lookups for suspicious domains
retransmission || dup_ack || lost All network problems (troubleshooting)
http.request && !google && !microsoft HTTP requests excluding common sites
frame.len > 1400 Large packets (possible data exfil)
Copied! 📋