ip.addr == 10.0.0.1 [Sets a filter for any packet with 10.0.0.1, as either the source or dest]

ip.addr==10.0.0.1 && ip.addr==10.0.0.2
[sets a conversation filter between the two defined IP addresses]

http or dns [sets a filter to display all http and dns]

tcp.port==4000 [sets a filter for any TCP packet with 4000 as a source or dest port]

tcp.flags.reset==1 [displays all TCP resets]

http.request [displays all HTTP GET requests]

tcp contains traffic [displays all TCP packets that contain the word ‘traffic’. Excellent when searching on a specific string or user ID]

!(arp or icmp or dns) [masks out arp, icmp, dns, or whatever other protocols may be background noise. Allowing you to focus on the traffic of interest]

udp contains 33:27:58 [sets a filter for the HEX values of 0x33 0x27 0x58 at any offset]

tcp.analysis.retransmission [displays all retransmissions in the trace. Helps when tracking down slow application performance and packet loss]

Capture only traffic to or from IP address
host xxx.xxx.xxx.xxx
Capture traffic to or from a range of IP addresses
net xxx.xxx.0.0/24
Capture traffic to or from a range of IP addresses
net xxx.xxx.0.0/24
Capture traffic from a range of IP addresses
src net 192.168.0.0/24
Capture traffic to a range of IP addresses
dst net 192.168.0.0/24
Capture single port traffic
port xx
Capture all traffic, exclude specific packets
host www.myhostname.com and not (port xx or port yy)
Capture traffic within a range of ports
tcp portrange 1800-1880
Capture only IP traffic
ip
 
 
Suppose there is a requirement to filter only those packets that are HTTP packets and have source ip as ’192.168.1.4′. Use this filter:
http&&ip.src==192.168.1.4



  • ip.addr==192.168.0.1 --- Show all traffic from and to 192.168.0.1
  • tcp.port==80 --- Show all the traffic with 80 as a source or destination port
  • ip.src==192.168.0.1 and ip.dst==10.100.1.1 --- Show all the traffic that starts from 192.168.0.1 and has as target 10.100.1.1
  • ftp --- Show only the traffic for the ftp protocol
  • http --- Show only the traffic for the http protocol
  • dns --- Show only the traffic for the dns protocol
  • http.request.uri contains string --- Show all http traffic where the url contains the word "string."
      


eth.addrsource or destination mac-addresseth.addr == 00:1a:6b:ce:fc:bb
eth.srcsource mac-addresseth.src == 00:1a:6b:ce:fc:bb
eth.dstdestination mac-addresseth.dst == 00:1a:6b:ce:fc:bb
arp.dst.hw_mactarget mac-addressarp.dst.hw_mac == 00:1a:6b:ce:fc:bb
arp.dst.proto_ipv4target IPv4 addressarp.dst.proto_ipv4 == 10.10.10.10
arp.src.hw_macsender mac-addressarp.src.hw_mac == 00:1a:6b:ce:fc:bb
arp.src.proto_ipv4sender IPv4 addressarp.src.proto_ipv4 == 10.10.10.10
vlan.idvlan IDvlan.id == 16
ip.addrsource or destination IPv4 addressip.addr == 10.10.10.10
ip.dstdestination IPv4 addressip.addr == 10.10.10.10
ip.srcsource IPv4 addressip.src == 10.10.10.10
ip.protoIP protocol (decimal)ip.proto == 1
ipv6.addrsource or destination IPv6 addressipv6.addr == 2001::5
ipv6.srcsource IPv6 addressipv6.addr == 2001::5
ipv6.dstdestination IPv6 addressipv6.dst == 2001::5
tcp.portsource or destination TCP porttcp.port == 20
tcp.dstportdestination TCP porttcp.dstport == 80
tcp.srcportsource TCP porttcp.srcport == 60234
udp.portsource or destination UDP portudp.port == 513
udp.dstportdestination UDP portudp.dstport == 513
udp.srcportsource UDP portudp.srcport == 40000
fr.dlciFrame-Relay DLCI numberfr.dlci == 112
icmp.typeICMP type code (decimal)icmp.type == 8
vtp.vlan_info.vlan_nameVLAN namevtp.vlan_info.vlan_name == TEST
bgp.originator_idBGP id (IPv4 address)bgp.originator_id == 192.168.10.15
bgp.next_hopBGP Next Hop (IPv4 address)bgp.next_hop == 192.168.10.15
rip.ipRIP IPv4 addressrip.ip == 200.0.2.0
ospf.advrouterOSPF advertising router IDospf.advrouter == 192.168.170.8
eigrp.asEIGRP autonomous system numbereigrp.as == 100
hsrp.virt_ipHSRP virtual IP addresshsrp.virt_ip == 192.168.23.250
vrrp.ip_addrVRRP virtual IP addressvrrp.ip_addr == 192.168.23.250
zebra.dest4ZEBRA destination IPv4 addresszebra.dest4 == 10.10.10.10
wlan.addrsource or destination MAC addresswlan.addr == 00:1a:6b:ce:fc:bb
wlan.sasource MAC addresswlan.sa == 00:1a:6b:ce:fc:bb
wlan.dadestination MAC addresswlan.da == 00:1a:6b:ce:fc:bb




 
  • eth.addr/eth.dst.eth.src [MAC]
  • rip.auth.passwd [RIP password]
  • tcp.port/tcpdstport/tcpsrcport [TCP ports]
  • tcp.flags [TCP flags]
  • udp.port/udpdstport/udp.srcport [UDP Ports]
  • http.authbasic [Basic Authentication]
  • http.www_authentication [HTTP Authentication]
  • http.data [HTTP Data portion]
  • http.cookie [HTTP cookie]
  • http.referer [HTTP referer]
  • http.server [HTTP server]
  • http.user_agent [HTTP user agent]
  •  wlan.fc.type eq 0 [802.11 management frame]
  •  wlan.fc.type eq 1 [802.11 control frame]
  •  wlan.fc.type eq 2 [802.11 data frame]
  • wlan.fc.type_subtype eq 0 (1=response) [802.11association request]
  • wlan.fc.type_subtype eq 2 (3=response) [802.11reassociation request]
  • wlan.fc.type_subtype eq 4 (5=response) [802.11probe request]
  • wlan.fc.type_subtype eq 8 [802.11 beacon frame]
  • wlan.fc.type_subtype eq 10 [802.11 disassociate]
  • wlan.fc.type_subtype eq 11 (12=deauthenticate) [802.11 authenticate]