- Wireshark
- Wireshark Filter Options
- Comparison Operators
- Logical Operators
- Wireshark Examples
- MAC filter:
eth.addr, eth.dst, eth.src
- RIP password:
rip.auth.passwd
- IP:
ip.addr, ip.dst, ip.src
- IPv6:
ipv6.addr, ipv6.dst, ipv6.src
- TCP/UDP
- TCP ports:
tcp.port, tcp.dstport, tcp.srcport
- TCP flags:
tcp.flags.ack, tcp.flags.fin, tcp.flags.push, tcp.flags.reset, tcp.flags.syn, tcp.flags.urg
- UDP ports:
udp.port, udp.dstport, udp.srcport
- HTTP
- Basic authentication:
http.authbasic
- authentication:
http.www_authenticate
- data portion:
http.file_data
- cookie:
http.cookie
- referer:
http.referer
- Server:
http.server
- user agent string:
http.user_agent
- 802.11
- management frame:
wlan.fc.type eq 0
- control frame:
wlan.fc.type eq 1
- data frame:
wlan.fc.type_subtype eq 20
- association request:
wlan.fc.type_subtype eq 0 (1=response)
- reassociation request:
wlan.fc.type_subtype eq 2 (3=response)
- probe request:
wlan.fc.type_subtype eq 4 (5=response)
- beacon:
wlan.fc.type_subtype eq 8
- disassociate:
wlan.fc.type_subtype eq 10
- authenticate:
wlan.fc.type_subtype eq 11 (12=deauthenticate)
| DESCRIPTION | ENGLISH | C-LIKE |
|---|
| equals | eq | = |
| not equals | ne | != |
| greater than | gt | > |
| less than | lt | < |
| greater than or equal to | ge | >= |
| Less than or equal to | le | <= |
| ENGLISH | C-LIKE |
|---|
| and | && |
| or | || |
| xor | ^^ |
| not | ! |
- Wireshark Filter by IP:
ip.addr == 10.10.50.1
- Filter by Destination IP:
ip.dst == 10.10.50.1
- Filter by IP range:
ip.addr >= 10.10.50.1 and ip.addr <=10.10.50.100
- Filter out IP address:
!(ip.addr == 10.10.50.1)
- Filter by port:
tcp.port == 25
- Filter by destination port:
tcp.dstport == 23
- Filter by IP address and port:
ip.addr == 10.10.50.1 and tcp.port == 25
- Filter SYN flag:
tcp.flags.syn == 1 and tcp.flags.ack == 0
- MAC address filter:
eth.addr == 00:70:f4:23:18:c4