Wireshark is a packet capturing and protocol analyzing tool, which is inarguably the best friend of any networking engineer. Below is a list of most frequently used Wireshark display filters for analyzing the network traffic.
1. Filter the packets by IP
This is the most common filter which displays only the packets that has the IP address either as the source or as the destination.
ip.addr == 10.10.10.10
The src or dst fields in the ip name space filters the packets accordingly.
ip.src == 10.10.10.10 ip.dst == 10.10.10.10
2. Screen the packets by TCP or UDP port number
The [tcp|udp].port filters the packets having either the source port or the destination port as specified. If you were to specify the source or the destination port, you need to use the specific filters [tcp|udp].srcport or [tcp|udp].dstport.
tcp.port == port_no tcp.srcport == port_no tcp.dstport == port_no
3. Filter by application name
Instead of specifying the port number you can directly enter the application to filter out the traffic of interest. The filter bar would give you the indication as to which filter phrase is valid by changing the color. Red would mean invalid and green valid.
http dns dhcp so on...
4. Filter the conversation between two nodes
You can use the logical AND & OR operations to combine multiple filters. The interpretation is different in the context of display filters. AND would mean for a packet to be displayed, it should satisfy both the conditions whereas OR means either of the conditions suffice for the packet to be displayed. For example the display filter to see the conversation happening between 192.168.1.10 and 192.168.1.20 would be
ip.addr == 192.168.1.10 or ip.addr == 192.168.1.20
5. Filter the TCP status packets
tcp.flags.[syn|ack|fin|push|reset|urg] == 1
6. Filter by word in the payload
The contains keyword lets you find the packets that has the given word in its payload. This is an excellent filter to find out usernames or other strings.
tcp contains traffic
7. Filter by hex value
udp contains 30:4F:6D
This would search for UDP packets that have 0x30,0x4F,0X6D at any offset.
8. Narrow your focus by excluding the unwanted traffic
!(arp or dns or netbios)
This filter will display all the packets except arp,dns and netbios.
9. List all TCP retransmissions
In a lossy network retransmissions are at a higher rate. To study the retransmissions the filter would be
10. List all the problematic packets