100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace

Wireshark Cheat Sheet

Wireshark Cheat Sheet

Covers Wireshark capture filters, display filters, and common workflows for analyzing network traffic and diagnosing security incidents.

2 PagesIntermediateFeb 12, 2026

Capture Filters (BPF syntax)

Applied before capture starts to limit which packets are recorded.

bash
host 192.168.1.10             # Traffic to/from a specific hostnet 192.168.1.0/24            # Traffic within a subnetport 443                      # Traffic on a specific porttcp port 80 or tcp port 443   # HTTP and HTTPS trafficnot broadcast and not multicast  # Exclude noisy broadcast traffic

Display Filters

Applied after capture to narrow down what's shown in the GUI.

text
ip.addr == 192.168.1.10        # Packets to/from an IPtcp.port == 443                # Packets on a TCP porthttp.request.method == "POST"  # HTTP POST requests onlydns.qry.name contains "example" # DNS queries containing a stringtcp.flags.syn == 1 and tcp.flags.ack == 0  # SYN packets (connection attempts)tcp.analysis.retransmission    # Show retransmitted packets

Key Analysis Features

Built-in tools for deeper packet and flow analysis.

  • Follow TCP Stream- Right-click a packet to reconstruct the full conversation
  • Statistics > Protocol Hierarchy- Breakdown of traffic by protocol
  • Statistics > Conversations- List of endpoint pairs and traffic volume
  • Statistics > IO Graph- Visualize traffic volume over time
  • Export Objects- Extract files transferred over HTTP/SMB/etc.

Indicators Worth Investigating

Traffic patterns commonly associated with attacks or malware.

  • Many SYN, no SYN-ACK response- Possible port scan or SYN flood
  • Repeated DNS queries to odd domains- Possible C2 beaconing or DGA malware
  • Unencrypted credentials in HTTP- Plaintext auth over insecure protocol
  • Large outbound transfers off-hours- Possible data exfiltration
  • ARP replies with mismatched MACs- Possible ARP spoofing / MITM
Pro Tip

Use 'tshark' (Wireshark's CLI companion) with the same display filter syntax to script large-scale pcap triage — e.g. tshark -r capture.pcap -Y "http.request" -T fields -e ip.src -e http.host — instead of loading massive files in the GUI.

Was this cheat sheet helpful?

Explore Topics

#Wireshark#WiresharkCheatSheet#Cybersecurity#Intermediate#Capture#Filters#BPF#Syntax#Networking#Security#CheatSheet#SkillVeris
Advertisement
Sri Hayavadhana Info-Tech

Professional Web Designing Services

  • Responsive Websites
  • E-commerce Solutions
  • SEO Friendly Design
  • Fast & Secure
  • Support & Maintenance
Get a Free Quote

Share this Cheat Sheet