Wireshark Filters for Beginners

# Sometimes, we technical specialists, engineers, and researchers have to pick up completely different tools and start examining network traffic under a magnifying glass. I’ve been using Microsoft tools for a long time, but besides those, this application is also in my toy box—it helps me live comfortably and work peacefully. I suggest we take a look at everything step by step. Let’s begin.

Wireshark comes with an enormous variety of filters. The documentation is extensive and not easy to digest. This guide compiles the most interesting and frequently used Wireshark filters for beginners. It can serve as a quick reference or a starting point for learning. You are also encouraged to share your frequently used or interesting filters in the comments.

Display vs. Capture Filters Note: This guide focuses on display filters—the ones you enter in the top field below the menu bar. Understanding network fundamentals is essential to interpret filters correctly. For this, refer to networking basics like “How Computer Networks Work.”

Some filters are generalized; others are specific. You can always replace values such as ports, IP addresses, MAC addresses, and time to suit your case.

Filter Operators in Wireshark

  • == or eq: Equals
  • != or ne: Not equal
  • < or lt: Less than
  • <= or le: Less than or equal
  • > or gt: Greater than
  • >= or ge: Greater than or equal
  • contains: For partial matches (non-numeric values), e.g., tcp contains hackware

Logical Operators

  • and or &&: Both conditions must be true
  • or or ||: At least one condition must be true
  • not or !: Negates the condition

Example combinations:

  • http or dns: Show HTTP or DNS traffic
  • !(arp or icmp or dns): Exclude ARP, ICMP, and DNS

Interface Filter

  • frame.interface_name == "wlan0"

Data Link Layer Filters

  • arp: Show ARP frames
  • arp.src.hw_mac == 00:c0:ca:96:cf:cb: ARP from specific MAC
  • eth: Show all Ethernet frames
  • eth.src == 00:c0:ca:96:cf:cb

Network Layer Filters (IPv4)

  • ip: IPv4 traffic
  • ip.addr == x.x.x.x: Match source or destination IP
  • ip.src == 192.168.1.1: From specific IP
  • ip.dst == 192.168.1.1: To specific IP
  • ip.addr == 192.168.1.0/24: Subnet

IPv6 Filters

  • ipv6
  • ipv6.addr == [address]
  • icmpv6: Neighbor Discovery Protocol
  • icmpv6.type == 133: Router Solicitation, etc.

Transport Layer Filters (TCP/UDP)

  • tcp: Show TCP traffic
  • tcp.port == 80: TCP traffic on port 80
  • tcp.flags.syn == 1: TCP SYN flag set
  • tcp.analysis.retransmission: Detect retransmissions
  • udp: UDP traffic
  • udp.port == 53: DNS traffic via UDP
  • udp.contains hackware: Payload contains string

Application Layer Filters

  • http: HTTP traffic
  • http.request.method == "POST"
  • http.host == "example.com"
  • http.content_type contains "image": Filter by MIME type
  • http.response.code == 404: HTTP 404 errors
  • tls: Encrypted TLS traffic
  • tls.handshake.certificates: Show certificates

DNS Filters

  • dns
  • dns.qry.name == "google.com"
  • dns.a == 216.58.196.3: A record match
  • dns.aaaa == 2a01::1: AAAA record match

DHCP Filters

  • udp.dstport == 67: DHCP
  • bootp.option.dhcp == 1: DHCP Discover

SMB and NetBIOS Filters

  • smb2.cmd == 3 or smb2.cmd == 5
  • nbns, nbdgm, nbss: NetBIOS

VNC Filters

  • vnc: VNC session
  • vnc.auth_result: Auth results

RDP Filters

  • rdp: Remote Desktop Protocol

HTTP Authentication Filters

  • http.authorization: All types
  • http.authbasic == "user:pass": Specific credentials

Proxy Authentication Filters

  • http.proxy_authenticate
  • http.proxy_authorization

Wi-Fi Frame Filters

  • eapol: 4-way handshake
  • wlan.fc.type_subtype == 0x08: Beacon frames
  • wlan.addr == BSSID: Device filter

TLS Fingerprinting (JA3, JA4)

  • tls.handshake.ja3 == "hashvalue"
  • ja4.ja4s == "hashvalue"
  • ssh.kex.hasshserver: SSH fingerprint

Helpful Links: