Wireshark is a powerhouse for anyone diving into network analysis—whether you’re a sysadmin tracking down a slow server, a security enthusiast hunting for suspicious traffic, or a curious learner. It’s packed with features, but its sea of filters, operators, and options can feel daunting at first. This wireshark cheat sheet is your trusty roadmap, breaking down Wireshark’s essentials into bite-sized pieces with practical tips to get you started or sharpen your skills.
What You See in a Packet Capture
When you fire up Wireshark and start a packet capture, the default view will show the following:
| NAME | DESCRIPTION |
| Packet Number | A simple number to keep track of each frame |
| Timestamp | Keeps track of the time of each packet starting from when the packet capture started |
| Source | Where the packet came from |
| Destination | Where the packet is going |
| Protocol | Protocol used in the Ethernet frame, IP packet, or TC segment |
| Length | Size of the packet |
| Info | Quick summary of the type of packet (e.g. GET or SYN) |
Wireshark Cheat Sheet: Filtering like a Detective
Filtering is what really makes Wireshark a powerful tool. There are two main filter methods you can use:
| NAME | DESCRIPTION |
| Capture Filter | Filter packets during capture |
| Display Filter | Hide packets from a capture display |
You can use display filters using some logical operators:
| OPERATOR | EXAMPLE |
| Equals (==) | ip.addr == 10.0.5.42 |
| Not Equals (!=) | ip.addr != 172.16.1.10 |
| Greater Than (>) | frame.len > 500 |
| Less Than (<) | frame.len < 50 |
| Greater Than or Equal To (>=) | frame.len >= 250 |
| Less Than or Equal To (<=) | frame.len <= 25 |
You can combine these operators with Logic Operators:
| OPERATOR | EXAMPLE | DESCRIPTION |
| AND (&&) | ip.addr == 10.0.5.42 && tcp.port == 80 | Finds the web traffic from one source |
| OR (||) | tcp.port == 80 || tcp.port == 443 | Find HTTP or HTTPS traffic |
| XOR (^^) | ip.addr == 10.0.5.42 ^^ udp | Search for udp traffic or 10.0.5.42 |
| NOT (!) | ip.addr != 127.0.0.1 | Ignore traffic from the localhost |
| [n] ([…]) | [google] | Searches for the keyword google in the packets |
Wireshark Cheat Sheet Pro-Tip: Real World Scenario
Let’s say you’re doing a network crawling, and you think there’s a device at 10.0.5.42 spamming UDP packets. You can set up the filter to find the web traffic for one source:
ip.src == 10.0.5.42 && udpWireshark Capturing Modes – Choosing Your Lens
Wireshark has two ways to see traffic:
| NAME | DESCRIPTION |
| Promiscuous mode | Captures all traffic on the network segment |
| Monitor mode | Exclusive to wireless capture on Unix/Linux, grabs everything the Wi-Fi card can detect (even if it’s not meant for you) |
Additional Tools and Operators
| TOOL/OPERATOR | PURPOSE |
| Slice Operator | Defines a range of values using [ … ] |
| Membership Operator | Checks inclusion with {} (e.g., “is in”) |
| CTRL + E | Toggles packet capture start/stop |
Capture Filter Structure
Capture filters specify which packets to record based on defined criteria. Below is the general syntax breakdown with an example:
| COMPONENT | EXMAPLE VALUE | EXPLANATION |
| Protocol | tcp | Specifies the protocol filter |
| Direction | src | Indicates source or destination traffic |
| Host | 192.168.0.1 | Defines the IP address |
| Value | 80 | Port or other specific value |
| Logical Operator | && (AND) | Combines conditions |
| Expression | tcp dst 123.456.78.9 | Additional filter condition |
Example:
tcp src 192.168.0.1 80 && tcp dst 123.456.78.9 filters TCP traffic from 192.168.0.1 on port 80 destined for 123.456.78.9.
Display Filter Structure
Display filters refine the view of already-captured packets. Here’s how they’re constructed:
| COMPONENT | EXAMPLE VALUE | EXPLANATION |
| Protocol | http | Targets a specific protocol |
| String 1 | dest | Field or attribute (e.g., destination) |
| String 2 | ip | Subfield or qualifier |
| Comparison | == | Operator (e.g., equals, greater than) |
| Value | 192.168.0.1 | Value to match |
| Logical Operator | && (AND) | Links to multiple conditions |
| Expression | tcp port | Additional filter criteria |
Example:
http.dest.ip == 192.168.0.1 && tcp.portshows the HTTP traffic destined for 192.168.0.1 on any TCP port.
Main Window Navigation Shortcuts
Efficiently navigating Wireshark’s interface is made easier with these keyboard shortcuts:
| SHORTCUT | ACTION |
| Tab | Shift + Tab | Switch between interface elements (e.g., toolbar, packet list) |
| ↓ | Move to the next packet or detail item. |
| ↑ | Move to the previous packet or detail item. |
| CTRL + ↓ | F8 | Next packet (even if the packet list isn’t focused) |
| CTRL + ↑ | F7 | Previous packet (even if the packet list isn’t focused) |
| CTRL + . | Next packet of the conversation |
| CTRL + , | Previous packet of the conversation |
| ALT + → | Option + → | Jump to next packet in selection history |
Supported Protocols
Wireshark recognizes a variety of protocols for filtering and analysis, including:
- ether
- fddi
- ip
- arp
- rarp
- decnet
- lat
- sca
- moprc
- mopdl
- tcp
- udp
Essential Wireshark Cheat Sheet Filter Examples
| PURPOSE | FILTER SYNTAX |
| Match IP Address | ip.add == 192.168.0.1 |
| Target Destination IP | ip.dest == 192.168.0.1 |
| Target Source IP | ip.src == 192.168.0.1 |
| Filter IP Range | ip.addr >= 192.168.0.1 |
| Multiple IPs | ip.addr == 192.168.0.1 and ip.addr == 192.168.0.2 |
| Exclude IP | !(ip.addr == 192.168.0.1) |
| Subnet Traffic | ip.addr == 192.168.0.1/24 |
| Port Traffic | tcp.port == 443 |
| Destination Port | tcp.destport = 443 |
| IP and Port Combo | ip.addr == 192.168.0.1 and tcp.port == 443 |
| URL Matching | http.host == “hostname” |
| Time-Based Filter | frame.time >= “March 18, 2025 12:00:00” |
| TCP SYN Flag | Tcp.flags.syn == 1 and tcp.flags.ack == 0 |
| Wi-Fi Beacon Frames | wlan.fc.type_subtype = 0x08 |
| Broadcast Traffic | eth.dst == ff:ff:ff:ff:ff:ff |
| Multicast Traffic | (eth.dst[0] & 1) |
| Hostname Filter | ip.host = hostname |
| MAC Address Filter | eth.addr == 00:00:00:00:00:00 |
| TCP RST Flag | tcp.flag.reset == 1 |
Toolbar Functions
| ICON | FUNCTION | MENU PATH | DESCRIPTION |
 | Begin Capture | Capture > Start | Initiates capture with prior/default settings |
 | Halt Capture | Capture > Stop | Ends an ongoing capture |
 | Restart Capture | Capture > Restart | Restart the current capture session |
 | Capture Settings | Capture > Options | Opens capture configuration |
 | Load File | File > Open | Accesses a saved capture file |
 | Save Capture | File > Save As | Stores the current capture |
 | Close File | File > Close | Closes the current capture file |
 | Reload File | View > Reload | Reloads the current capture file |
 | Locate Packet | Edit > Find Packet | Searches for packets by criteria |
 | Back | Go > Go back | Moves back in packet navigation history |
 | Forward | Go > Go Forward | Moves forward in packet navigation history |
 | Jump to Packet | Go > Go to Packet | Jumps to a specific packet number |
 | First Packet | Go > Go to First Packet | Jump to initial packet |
 | Last Packet | Go > Go to Last Packet | Jump to last packet |
 | Live Scroll | View > Auto Scroll in Live Capture | Scrolls packet list during live capture |
 | Toggle Colors | View > Colorize | Enables/disables packet list coloring |
 | Enlarge Text | View > Zoom In | Increase display font size |
 | Shrink Text | View > Zoom Out | Decrease display font size |
 | Reset Zoom | View > Normal Size | Restores default font size |
 | Adjust Columns | View > Resize Columns | Fits columns to content width |
 | Default Layout | View > Reset Layout | Restores default interface layout |
If you’re interested in getting started with Wireshark, you can download the correct version for your system here, but Wireshark also comes pre-installed on many Linux distribution (e.g. Kali or Parrot Linux).
Leave a Reply