Part I: Useful WireShark filtering rules

Ethereal was the original name of the open-source WireShark packet analysis software. It was renamed WireShark in 2006 based on trademark issues.

WireShark is used for network analysis and troubleshooting by allowing users to capture network traffic and view packets. The view of the information can be customized using a display filter. It was originally developed by Gerald Combs in 1998 as Ethereal, before the name change.

Below are some common packet filtering rules for specific packages

• Port filtering
  

  tcp.port == 80 #port 80 all packets
  
  tcp.dstport == 80 #for the package 80 of the destination port
  
  tcp.srcport == 80 #as the source port of the packet 80

   

   

• IP Filter
  

  ip.src==117.13.12.189 #ip source address: 117.13.12.189
  
  ip.dst == 117.163.2.33 #ip destination address: 117.163.2.33

   

• Protocol Filtering
  

  http
  
  tcp
  
  icmp

   

• http method
  

  filterhttp.request.method=="GET"
  
  http.request.method=="POST"

   

• Combining expressions
  

  and　　&
  
  or　　||

   

• To display build-in filter on Wireshark, click the word “Expression” on the filter toolbar