wireshark-logoNow and then, especially when you expect less, the network crashes or encounter an issue and then you had to troubleshoot. Sometime the problem is right there, you can see it and it’s easy to fix, but in other cases you’ll have to put an eye in the packets that are traveling through it and search deeper for the solution. When it comes to network sniffing or packet capturing or whatever you want to call it, I believe that the name Wireshark (formerly Ethereal) ring a bell in your head.

Wireshark is one of the world’s foremost network protocol analyzer, and is the de facto standard across many industries and educational institutions. Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998. Some features of Wireshark:
– Deep inspection of hundreds of protocols, with more being added all the time
– Live capture and offline analysis
– Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others
– Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
– Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and   uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others
– Capture files compressed with gzip can be decompressed on the fly
– Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platfrom)
– Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2

Wireshark is extremely useful when it comes to network troubleshooting as it capture the packets and you can have a detail look into them checking if everything is OK in parameters, message, format and so on. The problem is that if you capture the packets traveling through a backbone router you will end having  huge file ( yes, even up to 1G if you capture long enough) and a lot packets details in it. From this tons of information maybe you are interested in only a minor part like BGP traffic or a certain IP source and destination. Here is the part where Wireshark filters come into play.

There are 2 type of Wireshark filters:

– DISPLAY FILTERS – after you capture a lot of information, they help you to visualize only the packets that you are interested in
– CAPTURE FILTERS – from the beginning you know what is the interest for you and capture only those packets

I would recommed to use the Capture filters, when you know what are you looking for and you run the capture for more than couple of hours in a heavy traffic environment. This will help you stay in a reasonable amount on information being captured and file size.
If you run the packet capture for less time, like one or two hours, and you are not very sure what are you looking for, then I recommend to capture all the traffic and then use Display filters to visualize only the information that you are searching for.

For today I put together a list with the most useful Wireshark display filters. I compiled this list based on my personal experience and on my friends and colleagues advices. If you think that something is missing, or you are using a Display filter that might be useful for others please feel free to add it to a Comment to this topic and I will update the list. In one of the future posts I will show you how to capture the traffic and apply some of this filters.

DISPLAY FILTER EXPLANATION EXAMPLE
eth.addr source or destination mac-address eth.addr == 00:1a:6b:ce:fc:bb
eth.src source mac-address eth.src == 00:1a:6b:ce:fc:bb
eth.dst destination mac-address eth.dst == 00:1a:6b:ce:fc:bb
arp.dst.hw_mac target mac-address arp.dst.hw_mac == 00:1a:6b:ce:fc:bb
arp.dst.proto_ipv4 target IPv4 address arp.dst.proto_ipv4 == 10.10.10.10
arp.src.hw_mac sender mac-address arp.src.hw_mac == 00:1a:6b:ce:fc:bb
arp.src.proto_ipv4 sender IPv4 address arp.src.proto_ipv4 == 10.10.10.10
vlan.id vlan ID vlan.id == 16
ip.addr source or destination IPv4 address ip.addr == 10.10.10.10
ip.dst destination IPv4 address ip.addr == 10.10.10.10
ip.src source IPv4 address ip.src == 10.10.10.10
ip.proto IP protocol (decimal) ip.proto == 1
ipv6.addr source or destination IPv6 address ipv6.addr == 2001::5
ipv6.src source IPv6 address ipv6.addr == 2001::5
ipv6.dst destination IPv6 address ipv6.dst == 2001::5
tcp.port source or destination TCP port tcp.port == 20
tcp.dstport destination TCP port tcp.dstport == 80
tcp.srcport source TCP port tcp.srcport == 60234
udp.port source or destination UDP port udp.port == 513
udp.dstport destination UDP port udp.dstport == 513
udp.srcport source UDP port udp.srcport == 40000
fr.dlci Frame-Relay DLCI number fr.dlci == 112
icmp.type ICMP type code (decimal) icmp.type == 8
vtp.vlan_info.vlan_name VLAN name vtp.vlan_info.vlan_name == TEST
bgp.originator_id BGP id (IPv4 address) bgp.originator_id == 192.168.10.15
bgp.next_hop BGP Next Hop (IPv4 address) bgp.next_hop == 192.168.10.15
rip.ip RIP IPv4 address rip.ip == 200.0.2.0
ospf.advrouter OSPF advertising router ID ospf.advrouter == 192.168.170.8
eigrp.as EIGRP autonomous system number eigrp.as == 100
hsrp.virt_ip HSRP virtual IP address hsrp.virt_ip == 192.168.23.250
vrrp.ip_addr VRRP virtual IP address vrrp.ip_addr == 192.168.23.250
zebra.dest4 ZEBRA destination IPv4 address zebra.dest4 == 10.10.10.10
wlan.addr source or destination MAC address wlan.addr == 00:1a:6b:ce:fc:bb
wlan.sa source MAC address wlan.sa == 00:1a:6b:ce:fc:bb
wlan.da destination MAC address wlan.da == 00:1a:6b:ce:fc:bb

Materials that helped me for this post:
http://packetlife.net/static/cheatsheets/wireshark-display-filters.pdf – thanks Jeremy Stretch
http://www.wireshark.org/docs/dfref/ – here you can find the full list of filters – thanks developers of Wireshark

Wireshark’s most useful display filters
Tagged on:                 

12 thoughts on “Wireshark’s most useful display filters

  • November 9, 2009 at 03:46
    Permalink

    Do you have an example of a filter that shows only DNS server addresses being used by clients on the LAN?
     
    Thank you!

    Reply
  • November 9, 2009 at 17:55
    Permalink

    If you type “dns” (without quotes)  in the Filter field of Wireshark, do you obtain what you want? In this way you can see only the DNS traffic that it’s flowing from the LAN interface.

    If this isn’t what you intended, please add some more details to your request.

    Good luck!

    Reply
  • January 5, 2010 at 12:23
    Permalink

    I need to filter and analyze IP packets on port 110.  I used the filter commend tcp.port == 110 but I got nothing.
    Port 110 is used for POP3, but I don’t know how to get the “POP3 traffic” flowing.

    Thank you!
     

    Reply
  • May 11, 2010 at 16:37
    Permalink

    for pop3 u can use outlook express but it's only for SMTP if I have right I don't know if I have help something but try

    Reply
  • May 13, 2010 at 00:46
    Permalink

    I need to filter and analyze IP packets on port 110. I used the filter commend tcp.port == 110 but I got nothing.
    Port 110 is used for POP3, but I don’t know how to get the “POP3 traffic” flowing.

    Thank you!

    Reply
  • June 4, 2010 at 22:25
    Permalink

    Hi Adrian
    Just use capture filer -> port 110

    That’s it

    Reply
  • Pingback: Wireshark continuation | Jimrunsdorf

  • Pingback: Wireshark’s most useful display filters | FirstDigest | Networking

  • August 21, 2014 at 06:14
    Permalink

    Hi I have a capture file and i would like to know the MAC address of 192.168.1.13 in that capture file. How do i find out

    Reply
  • August 28, 2014 at 12:20
    Permalink

    Hello Suresh,

    You can find the MAC address associated with 192.168.1.13 only if you did capture the file on the host with that IP address or on the next L3 hop (the gateway of 192.168.1.13).

    The IP communication taking place at Layer 3 and it is end-to-end, so you can see in a captured file the source and destination. The Layer 2 communication is hop-to-hop, so the MAC address which you can see (like DST MAC in Wireshark) is actually the next L2 hop where the information is send and not the real MAC address of the IP address which is source or destination (depending on the flow direction).

    HTH,
    Calin

    Reply
  • Pingback: How To Get Ip Address From Skype With Wireshark | Information

Leave a Reply

%d bloggers like this: