Wireshark

Filters

Capture Filters

Capture traffic from host

host x.x.x.x

Capture traffic from either directions

net x.x.x.x/24

Capture traffic from

src net x.x.x.x/24

Capture traffic to

dst net x.x.x.x

Filter out all traffic except the port you specify:

port #

Will capture everything except the variable

not <variable>

Concatenate variables:

and

Grab traffic only within the range:

portrange x-x

Specify protocol filters:

ip / ether / tcp

Grabs a specific type of traffic:

broadcast / multicast / unicast

Display Filters

Capture only traffic pertaining to a certain host (OR statement)

ip.addr == x.x.x.x

Capture traffic pertaining to a specific network(OR statement)

ip.addr == x.x.x.x/24

Capture traffic to or from a specific host:

ip.src/dst == x.x.x.x

Filter traffic by protocol:

dns / tcp / ftp / arp / ip

Filter by a specific TCP port:

tcp.port == x

Will capture everything except the port specified:

src.port / dst.port ==x

AND will concatenate, OR will find either of two options, NOT will exclude your input option:

and / or / not

Follow a TCP session stream:

tcp.stream eq #

Will filter for any traffic matching the HTTP:

http

This filter will display any packet with a JPEG:

http && image-jfif

Filters for the FTP protocol:

ftp

Will filter for any control commands sent over FTP control channel:

ftp.request.command

Will show any objects transferred over FTP:

ftp-data

`tshark`

List available interfaces to capture from:

tshark -D

Capture on a selected interface:

tshark -i (int)

Apply a filter looking for a specific host:

tshark -i eth0 -f "host (ip)"

Will display any interfaces available to capture from and then exit out:

Will list the Link-layer mediums you can capture from and then exit out:

Defines a stop condition; Grab a specific number of packets, then quit the program :

Defines an auto-stop condition. It can be after a duration, specific file size, or after a certain number of packets:

Read from a file:

r (pcap-file)

Write into a file using the pcapng format:

W (pcap-file)

Will print the packet summary while writing into a file (-W):

Will add Hex and ASCII output into the capture:

Identifiers

`FTP` Identifiers

PreviousNmap NextMetasploit

Last updated 6 months ago

Filters

Capture Filters

Capture traffic from host

host x.x.x.x

Capture traffic from either directions

net x.x.x.x/24

Capture traffic from

src net x.x.x.x/24

Capture traffic to

dst net x.x.x.x

Filter out all traffic except the port you specify:

port #

Will capture everything except the variable

not <variable>

Concatenate variables:

and

Grab traffic only within the range:

portrange x-x

Specify protocol filters:

ip / ether / tcp

Grabs a specific type of traffic:

broadcast / multicast / unicast

Display Filters

Capture only traffic pertaining to a certain host (OR statement)

ip.addr == x.x.x.x

Capture traffic pertaining to a specific network(OR statement)

ip.addr == x.x.x.x/24

Capture traffic to or from a specific host:

ip.src/dst == x.x.x.x

Filter traffic by protocol:

dns / tcp / ftp / arp / ip

Filter by a specific TCP port:

tcp.port == x

Will capture everything except the port specified:

src.port / dst.port ==x

AND will concatenate, OR will find either of two options, NOT will exclude your input option:

and / or / not

Follow a TCP session stream:

tcp.stream eq #

Will filter for any traffic matching the HTTP:

http

This filter will display any packet with a JPEG:

http && image-jfif

Filters for the FTP protocol:

ftp

Will filter for any control commands sent over FTP control channel:

ftp.request.command

Will show any objects transferred over FTP:

ftp-data

tshark

List available interfaces to capture from:

tshark -D

Capture on a selected interface:

tshark -i (int)

Apply a filter looking for a specific host:

tshark -i eth0 -f "host (ip)"

Will display any interfaces available to capture from and then exit out:

Will list the Link-layer mediums you can capture from and then exit out:

Defines a stop condition; Grab a specific number of packets, then quit the program :

Defines an auto-stop condition. It can be after a duration, specific file size, or after a certain number of packets:

Read from a file:

r (pcap-file)

Write into a file using the pcapng format:

W (pcap-file)

Will print the packet summary while writing into a file (-W):

Will add Hex and ASCII output into the capture:

Filters

Capture Filters

Display Filters

tshark

Identifiers

FTP Identifiers

Filters

Capture Filters

Display Filters

tshark

Identifiers

FTP Identifiers

`tshark`

`FTP` Identifiers

`tshark`

`FTP` Identifiers