Wireshark Cheat Sheet
The Ultimate Guide for Network Protocol Analysis
Table of Contents
Introduction to Wireshark
Wireshark is the world’s foremost network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It’s the de facto standard across many industries and educational institutions.
Key Features
- Deep inspection of hundreds of protocols
- Live capture and offline analysis
- Multi-platform: Windows, Linux, macOS, etc.
- Rich VoIP analysis
- Powerful display filters
- Read/write many capture file formats
Wireshark Interface Components
- Packet List Pane (top)
- Packet Details Pane (middle)
- Packet Bytes Pane (bottom)
- Display Filter Bar
- Status Bar
- Capture Options
Pro Tip
Use the official Wireshark Sample Captures for practice: https://wiki.wireshark.org/SampleCaptures
Capture Filters (BPF Syntax)
Capture filters limit what traffic is captured, reducing file size and resource usage. They use Berkeley Packet Filter (BPF) syntax.
| Filter | Description |
|---|---|
| host 192.168.1.1 | Capture traffic to/from IP 192.168.1.1 |
| net 192.168.0.0/24 | Capture traffic on subnet 192.168.0.0/24 |
| port 80 | Capture traffic on port 80 (HTTP) |
| port 80 or port 443 | Capture HTTP or HTTPS traffic |
| not port 53 | Capture everything except DNS traffic |
| tcp | Capture only TCP traffic |
| udp | Capture only UDP traffic |
| ether host 00:11:22:33:44:55 | Capture by MAC address |
| ip | Capture only IPv4 traffic |
| ip6 | Capture only IPv6 traffic |
| vlan | Capture only VLAN traffic |
| tcp port 80 and host 192.168.1.1 | HTTP traffic to/from specific host |
Pro Tip
For high-volume captures, use capture filters to reduce the load on your system and make analysis easier.
Display Filters (Wireshark-specific syntax)
Display filters show only relevant traffic after capture, using Wireshark’s display filter syntax.
Basic Display Filter Syntax
| Operator | Description | Example |
|---|---|---|
| == or eq | Equal to | ip.addr == 192.168.1.1 |
| != or ne | Not equal to | ip.addr != 192.168.1.1 |
| > or gt | Greater than | frame.len > 1500 |
| < or lt | Less than | tcp.window_size < 1000 |
| >= or ge | Greater than or equal to | frame.time_delta >= 1 |
| <= or le | Less than or equal to | tcp.len <= 40 |
| && or and | Logical AND | ip.src == 192.168.1.1 and tcp.port == 80 |
| || or or | Logical OR | http or dns |
| ! or not | Logical NOT | !arp or not arp |
| () | Grouping expressions | (http or https) and ip.addr==192.168.1.1 |
Common Display Filters
| Filter | Description |
|---|---|
| ip.addr == 192.168.1.1 | IP address (source or destination) |
| ip.src == 192.168.1.1 | Source IP address |
| ip.dst == 192.168.1.1 | Destination IP address |
| tcp.port == 80 | TCP port (source or destination) |
| tcp.srcport == 80 | TCP source port |
| http | Show HTTP traffic |
| http.request | Show HTTP requests |
| http.response | Show HTTP responses |
| http.response.code == 404 | Show HTTP 404 responses |
| tcp.flags.syn == 1 | Show SYN packets |
| tcp.flags.reset == 1 | Show RST packets |
| icmp | Show ICMP (ping) traffic |
| dns | Show DNS traffic |
| dns.qry.name contains “google” | DNS queries containing “google” |
| frame contains “password” | Frames containing the text “password” |
| tcp.analysis.retransmission | Show retransmitted packets |
| tcp.analysis.flags | Show problematic TCP packets |
| _ws.col.Info contains “GET” | Info column contains “GET” |
| eth.addr == 00:11:22:33:44:55 | Traffic with specific MAC address |
Pro Tip
Use right-click → Apply as Filter → Selected on any field to quickly create a display filter based on that field.
Coloring Rules
Wireshark uses colors to help identify different types of traffic at a glance.
Default Color Scheme
| Color | Traffic Type | Filter |
|---|---|---|
| Light blue | TCP traffic | tcp |
| Light green | UDP traffic | udp |
| Light purple | TCP SYN/FIN | tcp.flags & 0x02 || tcp.flags & 0x01 |
| Light red | TCP problems | tcp.analysis.flags |
| Light yellow | Client-server conversations | Various |
| Light orange | HTTP, DNS, etc. | Various |
Customizing Coloring Rules
Go to View → Coloring Rules to create custom coloring rules. Rules at the top take precedence over rules below them.
Protocol-Specific Analysis
| Filter | Description |
|---|---|
| http.request.method == “GET” | HTTP GET requests |
| http.request.method == “POST” | HTTP POST requests |
| http.response.code == 200 | HTTP OK responses |
| http.response.code == 404 | HTTP Not Found responses |
| http.request.uri contains “login” | Requests with “login” in URI |
| http.host == “example.com” | Traffic to specific host |
| http.user_agent contains “Mozilla” | Traffic with specific User-Agent |
Analyzing HTTP Traffic: Use Statistics → HTTP → Requests to view HTTP statistics. Export HTTP objects with File → Export Objects → HTTP.
| Filter | Description |
|---|---|
| dns.qry.name == “example.com” | DNS queries for example.com |
| dns.resp.name == “example.com” | DNS responses for example.com |
| dns.qry.type == 1 | DNS A record queries |
| dns.qry.type == 28 | DNS AAAA record queries |
| dns.flags.rcode != 0 | DNS error responses |
| dns.flags.rcode == 3 | DNS Name Error (NXDOMAIN) |
| dns.resp.ttl < 60 | DNS responses with short TTL |
DNS Statistics: Use Statistics → DNS to view statistics on DNS servers, domain names, and response codes.
| Filter | Description |
|---|---|
| tcp.analysis.retransmission | TCP retransmissions |
| tcp.analysis.duplicate_ack | TCP duplicate ACKs |
| tcp.analysis.lost_segment | TCP lost segments |
| tcp.analysis.out_of_order | TCP out-of-order segments |
| tcp.analysis.zero_window | TCP zero window (flow control) |
| tcp.flags.syn==1 && tcp.flags.ack==0 | TCP SYN packets (connection start) |
| tcp.flags.fin==1 | TCP FIN packets (connection end) |
| tcp.flags.reset==1 | TCP RST packets (connection abort) |
TCP Flow Analysis: Use Statistics → Flow Graph to visualize TCP conversations and Statistics → TCP Stream Graphs for detailed TCP performance analysis.
| Filter | Description |
|---|---|
| tls | All TLS/SSL traffic |
| tls.handshake | TLS handshake messages |
| tls.handshake.type == 1 | Client Hello messages |
| tls.handshake.type == 2 | Server Hello messages |
| tls.handshake.ciphersuite | TLS cipher suites |
| tls.alert.description | TLS alert messages |
| tls.record.version | TLS version used |
Decrypting TLS: Configure TLS decryption in Edit → Preferences → Protocols → TLS. You’ll need either the private key or a pre-master secret to decrypt the traffic.
| Filter | Description |
|---|---|
| icmp | All ICMP traffic |
| icmp.type == 8 | ICMP Echo Request (ping) |
| icmp.type == 0 | ICMP Echo Reply (ping response) |
| icmp.type == 3 | ICMP Destination Unreachable |
| icmp.type == 11 | ICMP Time Exceeded |
| icmp.code == 1 | ICMP Host Unreachable |
| icmp.code == 4 | ICMP Fragmentation Needed |
ICMP Statistics: Use Statistics → Protocol Hierarchy to view ICMP traffic statistics and identify anomalies.
| Filter | Description |
|---|---|
| arp | All ARP traffic |
| arp.opcode == 1 | ARP Requests |
| arp.opcode == 2 | ARP Replies |
| arp.src.hw_mac == 00:11:22:33:44:55 | ARP traffic from specific MAC |
| arp.dst.proto_ipv4 == 192.168.1.1 | ARP traffic for specific IP |
ARP Spoofing Detection: Look for multiple ARP replies for the same IP address or unexpected MAC address changes.
Pro Tip
Use Statistics → Conversations to analyze traffic between specific hosts and identify top talkers.
Keyboard Shortcuts
Mastering Wireshark’s keyboard shortcuts can significantly speed up your analysis workflow.
| Shortcut | Description |
|---|---|
| Ctrl + E | Start/Stop capture |
| Ctrl + K | Open Capture Options |
| Ctrl + F | Open Find Packet dialog |
| Ctrl + G | Go to specific packet number |
| Ctrl + I | Open Capture Interfaces dialog |
| Ctrl + M | Mark/Unmark packet |
| Ctrl + N | Go to next packet |
| Ctrl + P | Go to previous packet |
| Ctrl + R | Reload current capture file |
| Ctrl + T | Open Time Display Format menu |
| Ctrl + W | Close current capture file |
| Ctrl + Shift + F | Apply display filter |
| Ctrl + Shift + C | Clear display filter |
| Ctrl + Shift + D | Duplicate current packet |
| Ctrl + Shift + N | Go to next marked packet |
| Ctrl + Shift + P | Go to previous marked packet |
| Ctrl + Shift + T | Open Time Reference menu |
| Ctrl + Alt + Shift + T | Set time reference |
| Ctrl + Alt + Shift + U | Unset time reference |
| Ctrl + Alt + Shift + N | Go to next time reference |
| Ctrl + Alt + Shift + P | Go to previous time reference |
Pro Tip
Use Ctrl + L to quickly focus on the display filter bar.
Statistics & Analysis Tools
Wireshark provides powerful statistical tools to analyze network traffic patterns and performance.
Key Statistics Tools
| Tool | Description |
|---|---|
| Statistics → Protocol Hierarchy | Breakdown of traffic by protocol |
| Statistics → Conversations | Traffic between specific hosts |
| Statistics → Endpoints | Traffic to/from specific hosts |
| Statistics → HTTP | HTTP request/response statistics |
| Statistics → DNS | DNS query/response statistics |
| Statistics → IO Graphs | Visualize traffic patterns over time |
| Statistics → Flow Graph | Visualize TCP/UDP conversations |
| Statistics → TCP Stream Graphs | Detailed TCP performance analysis |
| Statistics → Packet Lengths | Distribution of packet sizes |
| Statistics → Service Response Time | Response times for various protocols |
Pro Tip
Use Statistics → IO Graphs to identify traffic spikes, drops, or patterns over time.
Common Troubleshooting Scenarios
Wireshark can help diagnose and troubleshoot various network issues.
Common Issues and Filters
| Issue | Filter | Description |
|---|---|---|
| High Latency | tcp.analysis.ack_rtt > 0.1 | TCP ACKs with RTT > 100ms |
| Retransmissions | tcp.analysis.retransmission | TCP retransmissions |
| Duplicate ACKs | tcp.analysis.duplicate_ack | TCP duplicate ACKs |
| Out-of-Order Packets | tcp.analysis.out_of_order | TCP out-of-order packets |
| Zero Window | tcp.analysis.zero_window | TCP zero window (flow control) |
| Connection Resets | tcp.flags.reset == 1 | TCP RST packets |
| DNS Issues | dns.flags.rcode != 0 | DNS error responses |
| HTTP Errors | http.response.code >= 400 | HTTP error responses |
| ICMP Errors | icmp.type == 3 || icmp.type == 11 | ICMP Destination Unreachable or Time Exceeded |
Pro Tip
Use Expert Info (Analyze → Expert Info) to quickly identify potential issues in the capture.
TShark (Command Line)
TShark is the command-line version of Wireshark, useful for scripting and automation.
Common TShark Commands
| Command | Description |
|---|---|
| tshark -i eth0 | Capture on interface eth0 |
| tshark -r file.pcap | Read from a capture file |
| tshark -Y “http” | Apply display filter (HTTP) |
| tshark -T fields -e ip.src -e ip.dst | Extract specific fields |
| tshark -z conv,tcp | Show TCP conversations |
| tshark -z http_req,tree | Show HTTP request statistics |
| tshark -z dns,tree | Show DNS statistics |
| tshark -z io,phs | Show protocol hierarchy statistics |
| tshark -z expert | Show expert information |
| tshark -G | Generate capture file metadata |
Pro Tip
Use tshark -D to list available interfaces for capture.
Best Practices
Follow these best practices to get the most out of Wireshark.
General Best Practices
- Use capture filters to reduce noise and focus on relevant traffic.
- Save captures regularly to avoid data loss.
- Use display filters to narrow down analysis.
- Leverage Wireshark’s statistical tools for high-level analysis.
- Use coloring rules to quickly identify important traffic.
- Export objects (HTTP, SMB, etc.) for further analysis.
- Use TShark for scripting and automation.
- Keep Wireshark updated to the latest version.
- Use Edit → Preferences to customize Wireshark’s behavior.
- Document your findings and share captures with colleagues for collaboration.
Pro Tip
Use Capture → Options → Output to automatically save captures to a file during long captures.
