Wireshark – filter examples

https://wiki.wireshark.org/DisplayFilters

Display Filter
ip.addr == IP@
ip.src == IP@
ip.dst == IP@
ip.dst == 192.168.1.0/24 # IP@ range
ip.dst >= 192.168.1.0 && ip.src <= 192.168.1.255 # IP@ range

ip && !(ip.src==192.168.1.0/24)
ip && !(ip.dst==192.168.1.0/24)

dns
http
http.time >= 0.1
http.response and tcp.time_delta > 0.1

smb.file contains “inhalt“
smb2.filename
!snmp # ohne SNMP
!eth.type == 0x88e1 # ohne HomePlug AV
!bootp.option.type == 53 # ohne DHCP Traffic
http.request.method == „POST“
pop.request.command == „USER“ || pop.request.command == „PASS“
imap.request contains „login“
smtp.req.command == „AUTH“
(tcp.srcport >= 5000 and tcp.srcport <= 5999 ) and tcp contains „CLOSE“
smb.path contains „\\\\<Server>\\<Share>“
tcp.analysis.flags
frame contains „(username|password)“
frame matches „(?i)(username|password)“

https://wiki.wireshark.org/CaptureFilters

Capture Filter
host IP@
net 192.168.1.0/24 # IP@ range
src net 192.168.1.0/24 # IP range
dst net 192.168.1.0/24 # IP range
tcp portrange 5000-5999
not arp and not tcp port 3389 and not broadcast and not multicast

Leave a Reply

You must be logged in to post a comment.