If you’re diving into network troubleshooting or just curious about what’s happening on your network, Wireshark is your best friend. It’s a powerful tool that lets you capture and analyse network traffic. But with so much data, it can sometimes be overwhelming. That’s where filters can come in incredibly handy.
Here are my top 10 most useful Wireshark filters to make your life easier and your troubleshooting faster:
Filter by IP Address
Want to see traffic to or from a specific IP? Use this filter:
ip.addr == x.x.x.xReplace x.x.x.x with the actual IP address you’re interested in.
Filter by Subnet
Want to see traffic within a specific subnet? Try this:
ip.addr == 192.168.1.0/24Change 192.168.1.0/24 to your subnet.
Filter by Protocol
Need to focus on a specific protocol like HTTP or DNS? This filter is your go-to:
http or dnsYou can swap http and dns with any protocol you need.
Exclude Unwanted Protocols
Filter out protocols you don’t want to see with:
!(arp or icmp or dns)This helps you focus on the traffic that matters.
Filter by Port
Looking at traffic on a specific port? This filter will help:
tcp.port == 443Change 443 to the port number you’re interested in.
Filter TCP Resets
To see all TCP reset packets, use:
tcp.flags.reset == 1This is great for spotting connection issues.
Filter by TCP Stream
Follow a specific TCP stream with:
tcp.stream eq XReplace X with the stream number you want to follow.
Filter by HTTP Requests
To see all HTTP GET and POST requests, use:
http.requestThis helps you see what web pages are being accessed.
Filter by DNS Errors
Check for DNS resolution issues with:
dns.flags.rcode != 0Filter by Packet Size
To find packets larger than the default MTU size (1500 bytes), use:
ip.len > 1500This can help identify fragmentation issues.
Conclusion
Wireshark filters are a lifesaver when it comes to sifting through mountains of network data. These top 10 filters will help you zero in on the traffic you care about, making your troubleshooting more efficient. Happy packet capturing! And remember, practice makes perfect.
