Wireshark Cheat Sheet
Wireshark is the most widely used packet analyzer for network troubleshooting, protocol analysis, and security investigations.
Capture Interfaces
Capture → Options → Select Interface
CLI capture (dumpcap):
dumpcap -i eth0
Capture Filters (BPF)
Applied before capture starts.
host 192.168.1.10
net 192.168.1.0/24
port 80
tcp
udp
icmp
Examples:
tcp port 80
host 10.0.0.5 and tcp
Display Filters
Applied after capture.
ip.addr == 192.168.1.10
tcp.port == 443
udp.port == 53
http
dns
tls
icmp
Combine Display Filters
ip.src == 10.0.0.5 && tcp.port == 80
tcp.flags.syn == 1 && tcp.flags.ack == 0
Follow Streams
Right Click → Follow → TCP Stream
Also: - UDP Stream - HTTP Stream - TLS Stream
TCP Analysis
- Retransmissions
- Duplicate ACKs
- Zero Window
- Out-of-order packets
Filter:
tcp.analysis.flags
Protocol Statistics
Statistics → Protocol Hierarchy
Statistics → Conversations
Statistics → Endpoints
Export Objects
File → Export Objects → HTTP
Extract: - Files - Images - Executables
Decrypt HTTPS (If Allowed)
Set TLS keys:
Edit → Preferences → Protocols → TLS
Use: - Pre-Master Secret Log - Session keys
Coloring Rules
View → Coloring Rules
Highlight: - SYN packets - Errors - DNS traffic
Common Filters Cheat
http.request
http.response
dns.qry.name contains "example"
frame.len > 1000
Save & Export
File → Save As → .pcapng
Convert:
tshark -r input.pcap -w output.pcapng
Typical Workflow
Capture traffic
Apply display filters
Follow streams
Analyze statistics
Export artifacts
Common Issues
No packets captured
- Wrong interface
- Missing permissions
Too much noise
- Apply capture filters
- Narrow display filters
Related Tools
tsharktcpdumpairodump-ngbettercap
Use Cases
- Network troubleshooting
- Incident response
- Malware traffic analysis
- Protocol debugging
Legal Notice
Danger
Capture traffic only on networks you own or have permission to analyze.