Wiki

Wireshark Cheat Sheet

Revision as of 00:45, 1 November 2022 by Kangtain (talk | contribs) (Main Toolbar Items)

Default Columns In a Packet Capture Output

NAME DESCRIPTION
No. Frame number from the beginning of the packet capture
Time Seconds from the first frame
Source (src) Source address, commonly an IPv4, IPv6 or Ethernet address
Destination (dst) Destination address
Protocol Protocol used in the Ethernet frame, IP packet, or TC segment
Length Length of the frame in bytes

Logical Operators

OPERATOR DESCRIPTION EXAMPLE
and or && Logical AND All the conditions should match
or or || Logical OR Either all or one of the conditions should match
xor or ^^ Logical XOR Exclusive alterations – only one of the two conditions should match not both
not or ! Not (Negation) Not equal to
[ n ] [ … ] Substring operator Filter a specific word or text

Filtering Packets (Display Filters)

OPERATOR DESCRIPTION EXAMPLE
eq or == Equal ip.dest  ==  192.168.1.1
ne or != Not equal ip.dest  !=   192.168.1.1
gt or > Greater than frame.len   >   10
it or < less than frame.len  <   10
ge or >= Greater than or equal frame.len  >=   10
le or <= Less than or equal frame.len  <=   10

Filter Types

NAME DESCRIPTION
Capture filter Filter packets during capture
Display filter Hide packets from a capture display

Wireshark Capturing Modes

NAME DESCRIPTION
Promiscuous mode Sets interface to capture all packets on a network segment to which it is associated to
Monitor mode Setup the wireless interface to capture all traffic it can receive (Unix/ Linux only)

Miscellaneous

NAME DESCRIPTION
Slice Operator [ … ] – Range of values
Membership Operator {} – In
CTRL+E Start/Stop Capturing

Capture Filter Syntax

SYNTAX PROTOCOL DIRECTION HOSTS VALUE LOGICAL OPERATOR EXPRESSIONS
Example tcp src 192.168.1.1 80 and tcp dst 202.164.30.1

Display Filter Syntax

SYNTAX PROTOCOL STRING 1 STRING 2 COMPARISON OPERATOR VALUE LOGICAL OPERATOR EXPRESSIONSE
Example http dest ip == 192.168.1.1 and tcp port

Keyboard Shortcuts – Main Display Window

ACCELERATOR DESCRIPTION ACCELERATOR DESCRIPTION
Tab or Shift+Tab Move between screen elements, e.g. from the toolbars to the packet list to the packet detail. Alt+→ or Option→ Move to the next packet in the selection history.
Move to the next packet or detail item. In the packet detail, opens the selected tree item.
Move to the previous packet or detail item. Shift+→ In the packet detail, opens the selected tree items and all of its subtrees.
Ctrl+ ↓ or F8 Move to the next packet, even if the packet list isn’t focused. Ctrl+→ In the packet detail, opens all tree items.
Ctrl+ ↑ Or F7 Move to the previous packet, even if the packet list isn’t focused Ctrl+← In the packet detail, closes all the tree
Ctrl+. Move to the next packet of the conversation (TCP, UDP or IP). Backspace In the packet detail, jumps to the parent node.
Ctrl+, Move to the previous packet of the conversation (TCP, UDP or IP). Return or Enter In the packet detail, toggles the selected tree item.

Protocols – Values

Common Filtering Commands

USAGE FILTER SYNTAX
Wireshark Filter by IP ip.add == 10.10.50.1
Filter by Destination IP ip.dest == 10.10.50.1
Filter by Source IP ip.src == 10.10.50.1
Filter by IP range ip.addr >= 10.10.50.1 and ip.addr <=10.10.50.100
Filter by Multiple Ips ip.addr == 10.10.50.1 and ip.addr == 10.10.50.100
Filter out IP adress ! (ip.addr == 10.10.50.1)
Filter subnet ip.addr == 10.10.50.1/24
Filter by port tcp.port == 25
Filter by destination port tcp.dstport == 23
Filter by ip adress and port ip.addr == 10.10.50.1 and Tcp.port == 25
Filter by URL http.host == “host name”
Filter by time stamp frame.time >= “June 02, 2019 18:04:00”
Filter SYN flag Tcp.flags.syn == 1 and tcp.flags.ack ==0
Wireshark Beacon Filter wlan.fc.type_subtype = 0x08
Wireshark broadcast filter eth.dst == ff:ff:ff:ff:ff:ff
Wireshark multicast filter (eth.dst[0] & 1)
Host name filter ip.host = hostname
MAC address filter eth.addr == 00:70:f4:23:18:c4
RST flag filter tcp.flag.reset == 1

Main Toolbar Items

TOOLBAR ICON TOOLBAR ITEM MENU ITEM DESCRIPTION
  Start Capture → Start Uses the same packet capturing options as the previous session, or uses defaults if no options were set
  Stop Capture → Stop Stops currently active capture
  Restart Capture → Restart Restart active capture session
  Options… Capture → Options… Opens “Capture Options” dialog box
  Open… File →open… Opens “File open” dialog box to load a capture for viewing
  Save As… File → Save As… Save current capture file
  Close File →Close Close current capture file
  Reload View → Reload Reload current capture file
  Find Packet… Edit →Find Packet… Find packet based on different criteria
  Go Back Go → Go back Jump back in the packet history
  Go Forward Go → Go Forward Jump forward in the packet history
  Go to Packet… Go → Go to Packet… Go to specific packet
  Go to First Packet Go → Go to First Packet Jump to first packet of the capture file
Go to last Packet Go → Go to last Packet Jump to last packet of the capture file
Auto Scroll in Live Capture View → Auto Scroll in Live Capture Auto scroll packet list during live capture
Colorize View → Colorize Colorize the packet list (or not)
Zoom In View → Zoom In Zoom into the packet data (increase the font size)
Zoom Out View → Zoom Out Zoom out of the packet data (decrease the font size)
Normal Size View → Normal Size Set zoom level back to 100%
Resize Columns View → Resize Columns Resize columns, so the content fits the width

Source

Retrieved from "https://kangtain.com/wiki/index.php?title=Wireshark_Cheat_Sheet&oldid=6368"