Networks

icon picker
Wireshark Filter Guide for Network Protocol Analysis

This guide provides an overview of general and specific filters for common network protocols such as HTTP, DNS, ICMP, and FTP. Use these filters during network analysis to isolate specific traffic types or packet attributes.

1. General Filters

Table 1
Protocol
Description
Filter
1
HTTP Traffic
Captures all HTTP traffic (requests and responses)
http
2
DNS Traffic
Captures all DNS traffic (queries and responses)
dns
3
ICMP Traffic
Captures all ICMP traffic (ping requests and replies)
icmp
4
FTP Traffic
Captures all FTP traffic, including commands and file transfers
ftp
5
TCP Traffic
Captures all TCP traffic
tcp
6
UDP Traffic
Captures all UDP traffic
udp
7
TLS/SSL Traffic
Captures all TLS/SSL encrypted traffic
tls
There are no rows in this table

For FTP
FTP
Type
Tag

Username
User
request.args
Password
Pass
request.args
Storage or Upload
STOR
request.args
Transfer complete
226 Transfer complete

There are no rows in this table

2. Specific Filters

Table 2
Protocol/Step
Description
Filter
1
TCP SYN Packets
Captures TCP packets with the SYN flag set (connection initiation)
tcp.flags.syn==1 && !tcp.flags.ack
2
TCP SYN-ACK Packets
Captures SYN-ACK packets (response from the server)
tcp.flags.syn==1 && tcp.flags.ack==1
3
TCP ACK Packets
Captures ACK packets (completes the handshake)
tcp.flags.ack==1 && !tcp.flags.syn
4
HTTP Request
Captures HTTP requests sent by the client
http.request
5
HTTP Response
Captures HTTP responses from the server
http.response
6
DNS Query
Captures DNS query packets (client request for domain resolution)
dns.flags.response==0
7
DNS Response
Captures DNS response packets (server responds with IP address)
dns.flags.response==1
8
ICMP Echo Request
Captures ICMP echo requests (ping requests)
icmp.type==8
9
ICMP Echo Reply
Captures ICMP echo replies (ping replies)
icmp.type==0
10
FTP Command
Captures FTP commands sent by the client
ftp.request
11
FTP Response
Captures FTP responses from the server
ftp.response
There are no rows in this table

3. Port-Specific Filters

Table 3
Service/Port
Description
Filter
1
HTTP (Port 80)
Captures all HTTP traffic on port 80
tcp.port == 80
2
HTTPS (Port 443)
Captures all HTTPS (SSL/TLS) traffic on port 443
tcp.port == 443
3
DNS (Port 53)
Captures all DNS traffic on port 53
udp.port == 53
4
FTP Command (Port 21)
Captures FTP commands on port 21
tcp.port == 21
5
FTP Data Transfer (Port 20)
Captures FTP data transfers on port 20
tcp.port == 20
There are no rows in this table

4. IP Address-Specific Filters

Table 4
Filter Type
Description
Filter
1
Source IP
Captures traffic from a specific IP address
ip.src == 192.168.1.10
2
Destination IP
Captures traffic to a specific IP address
ip.dst == 192.168.1.10
3
Subnet Traffic
Captures traffic within a subnet (e.g., 192.168.1.0/24)
ip.addr == 192.168.1.0/24
There are no rows in this table

5. Excluding Traffic

Table 5
Filter Type
Description
Filter
1
Exclude Specific Port
Excludes traffic on a specific port (e.g., port 80)
!tcp.port == 80
There are no rows in this table

6. Combination Filters (Examples)

Table 6
Scenario
Filter
1
DNS Traffic from a Specific Source IP
dns && ip.src==192.168.1.1
2
HTTP Requests from a Specific IP
http.request && ip.src==192.168.1.10
3
ICMP Requests and Replies from a Specific IP
icmp && ip.addr==192.168.1.10
There are no rows in this table

Best Practices:

Use Multiple Filters: Combine filters for more refined searches. For example, to capture DNS traffic from a specific source IP, you can use:
Filter: dns && ip.src==192.168.1.1
Follow Streams: For protocols like HTTP or FTP, right-click on a TCP packet and select "Follow → TCP Stream" to view the entire conversation between the client and server.
Save Filters: Save commonly used filters for quick access later in Wireshark’s filter bar.
Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.