Part I: Useful WireShark filtering rules

by do son · Published · Updated

Ethereal was the original name of the open-source WireShark packet analysis software. It was renamed WireShark in 2006 based on trademark issues.

WireShark is used for network analysis and troubleshooting by allowing users to capture network traffic and view packets. The view of the information can be customized using a display filter. It was originally developed by Gerald Combs in 1998 as Ethereal, before the name change.

Below are some common packet filtering rules for specific packages

  • Port filtering
    tcp.port == 80 #port 80 all packets

    tcp.dstport == 80 #for the package 80 of the destination port

    tcp.srcport == 80 #as the source port of the packet 80

     

     

  • IP Filter
    ip.src==117.13.12.189 #ip source address: 117.13.12.189

    ip.dst == 117.163.2.33 #ip destination address: 117.163.2.33

     

  • Protocol Filtering
    http

    tcp

    icmp

     

  • http method
    filterhttp.request.method=="GET"

    http.request.method=="POST"

     

  • Combining expressions
    and  &

    or  ||

     

  • To display build-in filter on Wireshark, click the word “Expression” on the filter toolbar

Tags: WireShark