🦈Wireshark
Capture Filters
Capture traffic from host
host x.x.x.x
Capture traffic from either directions
net x.x.x.x/24
Capture traffic from
src net x.x.x.x/24
Capture traffic to
dst net x.x.x.x
Filter out all traffic except the port you specify:
port #
Will capture everything except the variable
not <variable>
Concatenate variables:
and
Grab traffic only within the range:
portrange x-x
Specify protocol filters:
ip / ether / tcp
Grabs a specific type of traffic:
broadcast / multicast / unicast
Display Filters
Capture only traffic pertaining to a certain host (OR statement)
ip.addr == x.x.x.x
Capture traffic pertaining to a specific network(OR statement)
ip.addr == x.x.x.x/24
Capture traffic to or from a specific host:
ip.src/dst == x.x.x.x
Filter traffic by protocol:
dns / tcp / ftp / arp / ip / http
Filter by a specific TCP port:
tcp.port == x
Will capture everything except the port specified:
src.port / dst.port ==x
AND will concatenate, OR will find either of two options, NOT will exclude your input option:
and / or / not
Follow a TCP session stream:
tcp.stream eq #
This filter will display any packet with a JPEG:
http && image-jfif
tshark
List available interfaces to capture from:
tshark -D
Capture on a selected interface:
tshark -i (int)
Apply a filter looking for a specific host:
tshark -i eth0 -f "host (ip)"
Will display any interfaces available to capture from and then exit out:
D
Will list the Link-layer mediums you can capture from and then exit out:
L
Defines a stop condition; Grab a specific number of packets, then quit the program :
c
Defines an auto-stop condition. It can be after a duration, specific file size, or after a certain number of packets:
a
Read from a file:
r (pcap-file)
Write into a file using the pcapng format:
W (pcap-file)
Will print the packet summary while writing into a file (-W):
P
Will add Hex and ASCII output into the capture:
x
Last updated