Bazı Wireshark Filtreleri

ip.addr == (Classic. Sets a filter for any packet with as the source or dest IP)

ip.addr eq and ip.addr eq (Sets a conversation filter between two IP’s)

ip.addr == (Subnet filter. Displays any conversation to or from any IP in the subnet)

tcp or dns (Sets a filter for all packets containing TCP and those with DNS)

tcp.analysis.flags (Displays any packet with TCP warnings or info, including retransmissions, duplicate acks, window updates and Out-of-Orders. Also, TCP problems are automatically displayed on the sidebar of the summary view of wireshark. Look for dark lines on the scroll bar as you go through a trace. Great info to spot the bad stuff!)

tcp contains facebook (Shows all TCP packets that contain the word “facebook”. This word could be replaced with any clear-text string you are searching for)http.request or http.response (This will display all HTTP request strings along with the response codes. Look for HTTP 500 and 404 responses as these indicate a problem)

http.time > 2 (Displays all HTTP responses that were sent more than 2 seconds after the request. Awesome way to measure HTTP performance!! Also great to add as a column)

!(arp or dns or icmp) – (Masks out arp, dns, icmp, or whatever other protocols that may be clouding an issue)

tcp.stream eq 0 (This is best to apply by right-clicking a TCP packet in a connection that you want to display and selecting Follow | TCP Stream. This will display all packets in the TCP conversation as well as the packet content if not encrypted)

One more – I know this is 11, but it’s a great one too.

sip or rtp (This displays all sip control and rtp frames in the trace)

http.request This filter will find and display all HTTP GET requests.

udp contains 03:28:58 This filter will find the HEX values of 0x03 0x28 0x58 at any offset in the packet trace.

icmp or dns This creates a filter to display all icmp and dns packets in the trace.

tcp.analysis.retransmission This filter will display all retransmissions in the trace. This is helpful when tracking down slow application performance and packet loss.

tcp.port==5000 This creates a filter for any TCP packet with 5000 as a source or destination port.

tcp.flags.reset==1 This filter will find and display all TCP resets.



Wireshark display filters - 1.jpeg