Last Updated: May 1, 2025
Capture Filters (BPF Syntax)
| Item | Description |
|---|---|
host 192.168.1.100 | Only traffic to/from this IP |
net 192.168.1.0/24 | Traffic to/from entire subnet |
port 80 | Only HTTP traffic (port 80) |
tcp port 443 | Only HTTPS (TCP port 443) |
not port 22 | Exclude SSH traffic |
src host 10.0.0.1 | Only traffic FROM this host |
dst port 53 | Only DNS responses (destination port 53) |
icmp | Only ICMP (ping, traceroute) |
tcp[tcpflags] & (tcp-syn) != 0 | Only TCP SYN packets (connection starts) |
Display Filters
| Item | Description |
|---|---|
ip.addr == 192.168.1.1 | Show packets with this IP (src or dst) |
ip.src == 10.0.0.1 | Only packets FROM this IP |
tcp.port == 443 | Traffic on TCP port 443 |
http.request.method == 'GET' | Only HTTP GET requests |
http.response.code == 404 | Only HTTP 404 responses |
dns.qry.name contains 'google' | DNS queries containing 'google' |
tls.handshake.type == 1 | TLS ClientHello packets only |
frame contains 'password' | Search packet bytes for string (slow) |
!(arp or dns or icmp) | Exclude common noise protocols |
Analysis Workflows
Follow TCP StreamRight-click packet → Follow → TCP Stream (reassembles entire conversation)
Follow TLS StreamReassembles decrypted TLS conversation (needs session keys)
Statistics → Protocol HierarchySee packet distribution by protocol (percentage)
Statistics → ConversationsSee which endpoints are talking (by IP, by port)
Statistics → IO GraphVisualize throughput over time (troubleshoot bursts)
Analyze → Expert InfoAuto-detected warnings, errors, notes in capture
Decrypting TLS Traffic
SSLKEYLOGFILESet env var: export SSLKEYLOGFILE=~/sslkeys.log (Firefox/Chrome)
Wireshark → Preferences → TLSLoad key log file for real-time decryption
Private key methodLoad RSA private key for RSA key exchange (pre-TLS 1.3 only)
LimitationTLS 1.3 with forward secrecy requires key log — can't decrypt with cert alone
Pro Tip: Capture filters use BPF syntax (classic). Display filters use Wireshark's own syntax (more powerful). Start with a capture filter to limit data, then use display filters to analyze.