Wireshark notes - DFIR

Wireshark, a tool used for creating and analyzing PCAPs (network packet capture files), is commonly used as one of the best packet analysis tools. Wireshark can run on Windows, macOS, and Linux. To begin installing Wireshark on a Windows or macOS device you will need to first grab an installer from the Wireshark website. Once you have downloaded an installer, simply run it and follow the GUI wizard. 

If you are using Linux you can install Wireshark with apt install Wireshark 

Filtering Operators

Wireshark's filter syntax can be simple to understand making it easy to get a hold of quickly. To get the most out of these filters you need to have a basic understanding of Boolean and logic operators.

Wireshark only has a few that you will need to be familiar with:

Basic Filtering Syntax

Filtering by IP

ip.addr == <IP Address>

Filtering by SRC and DST IP

ip.src == <SRC IP Address> and ip.dst == <DST IP Address> 

Filtering by TCP Protocols

tcp.port eq <Port #> or <Protocol Name>

Filtering by UDP Protocols

udp.port eq <Port #> or <Protocol Name>

Show only SMTP (port 25) and ICMP traffic:

 tcp.port eq 25 or icmp 

Show only traffic in the LAN (192.168.x.x), between workstations and servers 

ip.src== and ip.dst==

Show HTTP or DNS traffic:

http or dns

Show all traffic except ARP, ICMP and DNS:

!(arp or icmp or dns)

Interface Filters

Show packets only sent or received on the wlan0 interface:

frame.interface_name == "wlan0"

Link Layer Traffic

To show ARP traffic:


how ARP protocol frames sent from device with MAC address 00:c0:ca:96:cf:cb:

arp.src.hw_mac == 00:c0:ca:96:cf:cb

Show ARP protocol frames sent from a device with an IP address

arp.src.proto_ipv4 ==

Show ARP protocol frames sent to a device with a MAC address 00:00:00:00:00:00 (this address is used when the protocol tries to find out the target MAC address.

arp.dst.hw_mac == 00:00:00:00:00:00

Show ARP protocol frames sent to the device having the IP address

arp.dst.proto_ipv4 ==

Show Ethernet traffic


Show frames (in general, all frames, not just ARP, as it was in the previous examples) sent from a device that has the MAC address 00:c0:ca:96:cf:cb:

eth.src == 00:c0:ca:96:cf:cb

Show frames sent to device with MAC address 78:cd:8e:a6:73:be:1

eth.dst == 78:cd:8e:a6:73:be

Internet Layer Traffic

IPv4 Protocol Filtering

Show IP traffic (this includes TCP, UDP, as well as application layer protocols DNS, HTTP - that is, almost everything except the data link layer protocols that do not use IP addresses for data transmission (in local Ethernet networks they use MAC addresses)):


Show traffic associated with a specific IP address (enter it instead of x.x.x.x). Packets will be shown in which this IP address is the source of the data OR the recipient:

ip.addr == x.x.x.x

Show traffic associated with these two IP addresses. According to the only possible situation, one of these addresses is the source, and the second is the destination address.

ip.addr == x.x.x.x && ip.addr == y.y.y.y

Show traffic originated from the host with the IP address

ip.src ==

Show traffic whose destination is the host with the IP address

ip.dst ==

Filter subnets and IP ranges in Wireshark

You can specify a subnet instead of a single IP address:

ip.addr ==

Filtering traffic sent from a specific IP range. If you need to filter out traffic whose source is the subnet, then use a filter of the form:

ip.src ==

Filtering traffic destined for sending to a specific IP range. If you need to filter traffic whose destination is a subnet, then use a filter of the form:

ip.dst ==

Application layer traffic

For the application protocols of HTTP, DNS, SSH, FTP, SMTP, RDP, SNMP, RTSP, GQUIC, CDP, LLMNR, SSDP there are filters that are called like the protocols themselves, but are written in small letters.

For example, to see HTTP traffic:


To see the traffic of the new HTTP/2 protocol:


NOTE: Remember that when deciding which protocol the transmitted data belongs to, the program considers the used port number. If a non-standard port is used, the program will not be able to find the necessary data. For example, if you connect to SSH on port 1234, the ssh filter will not find SSH traffic.

A filter that shows only the data sent by the POST method:

http.request.method == "POST"

A filter that shows only the data transmitted by the GET method:

http.request.method == "GET"

Search for requests to a specific site (host):

http.host == "<URL>"

Search requests to a specific site by part of the name:

http.host contains "here.particle.name"

Filter for outputting HTTP requests in which cookies were transmitted:


Requests in which the server has set cookies in the user's browser.


To search for any transferred images:

http.content_type contains "image"

To search for certain types of images:

http.content_type contains "gif"

http.content_type contains "jpeg"

http.content_type contains "png"

To search for files of a specific type:

http.content_type contains "text"

http.content_type contains "xml"

http.content_type contains "html"

http.content_type contains "json"

http.content_type contains "javascript"

http.content_type contains "x-www-form-urlencode"

http.content_type contains "compressed"

http.content_type contains "application"

Search for requests for files of a certain type. For example, to search for transferred ZIP archives:

http.request.uri contains "zip"

Instead of http.request.uri for greater accuracy, you can use the http.request.uri.path or http.request.uri.query filters, for example, to search for requests to download JPG files (links to pictures):1

http.request.uri.path contains "jpg"

You can also filter requests that contain a specific HTTP REFERRER header value. For example, to search for queries in which the referrer is ru-board.com:

http.referer contains "ru-board.com"

To investigate problems, you can analyze the status of HTTP response codes. For example, the following filter will show traffic for which a 404 Not Found error was received (page not found):


you can use the filter without specifying the desired value, for example:


In this case, all connections with any Host field value in the HTTP header will be shown.

You can specify the exact value:

http.host == "www.archlinux.org"

Or specify part of the desired string:

http.host contains "archlinux.org"

Filter by Host field in HTTP header:

http.host == "www.archlinux.org"

Filter by the Content-Type field in the HTTP header:

http.content_type == "text/plain"

Filter by Server field in HTTP header:

http.server == "nginx"

Filter by Cookie field in HTTP header:



Filter by User Agent field in HTTP header:

http.user_agent == "Mozilla/5.0 (X11; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0"

To search for redirects (Location field):


To search for sites from which a transition was made to the page (Referer field):

http.referer contains "sysnetnotes.blogspot.com"

Request filter:







Response filters:


Search by response code:

http.response.code == 404


In fact, this list is far from complete. You can use the hints that appear as you type the names of the filters, or you can be guided by the names of the HTTP header fields, which are similar to the names of the filters.

Detecting Network Attacks with Wireshark

This section contains Wireshark filters that could help in identifying adversaries trying to find alive systems on our network.

Using these filters we should be able to detect various network discovery scans, ping sweeps and other things typically done during reconnaissance (asset discovery) phase.

TechniqueWireshark FilterCommand / Tool
ARP scanningarp.dst.hw_mac==00:00:00:00:00:00arp-scan -l
IP protocol scanicmp.type==3 and icmp.code==2nmap -sO <target>
ICMP ping sweepicmp.type==8 or icmp.type==0nmap -sn -PE <subnet>
TCP ping sweepstcp.dstport==7nmap -sn -PS/-PA <subnet>
UDP ping sweepsudp.dstport==7nmap -sn -PU <subnet>

Detection of network port scanning

TechniqueWireshark FilterCommand / Tool
TCP SYN scantcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size<=1024nmap -sS <target>
TCP Connect() scantcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size>1024nmap -sT <target>
TCP Null scantcp.flags==0nmap -sN <target>
TCP FIN scantcp.flags==0x001nmap -sF <target>
TCP Xmass scantcp.flags.fin==1 && tcp.flags.push==1 && tcp.flags.urg==1nmap -sX <target>
UDP port scanicmp.type==3 and icmp.code==3nmap -sU <target>

Detection of network attacks

TechniqueWireshark FilterCommand / Tool
ARP poisoningarp.duplicate-address-detected or arp.duplicate-address-framearpspoof, ettercap
ICMP floodicmp and data.len > 48fping, hping
VLAN hopingdtp or vlan.too_many_tagsfrogger, yersinia
Unexplained packet losstcp.analysis.lost_segment or tcp.analysis.retransmissionn/a


Post a Comment