Essential Network Packet Filtering Syntax Reference

Posted by Anonymous and classified in Computers

Written on in English with a size of 12.41 KB

Basic Protocol Filters

Use these filters to quickly isolate traffic based on common protocols:

  • arp (Address Resolution Protocol)
  • dns (Domain Name System)
  • http (Hypertext Transfer Protocol)
  • https (HTTP Secure)
  • icmp (Internet Control Message Protocol)
  • ip (Internet Protocol)
  • ipv6 (Internet Protocol Version 6)
  • ntp (Network Time Protocol)
  • smtp (Simple Mail Transfer Protocol)
  • ftp (File Transfer Protocol)
  • ssh (Secure Shell)
  • tls (Transport Layer Security)
  • udp (User Datagram Protocol)
  • tcp (Transmission Control Protocol)
  • dhcp (Dynamic Host Configuration Protocol)
  • bootp (Bootstrap Protocol)
  • radius (Remote Authentication Dial-In User Service)
  • snmp (Simple Network Management Protocol)
  • kerberos
  • smb (Server Message Block)
  • nbns (NetBIOS Name Service)
  • nbss (NetBIOS Session Service)
  • quic (Quick UDP Internet Connections)

IP Address Filtering

ip.addr == x.x.x.x
Filters packets where the source or destination IP matches the address. Example: ip.addr == 192.168.0.102
ip.src == x.x.x.x
Filters packets originating from the specified source IP address. Example: ip.src == 192.168.0.102
ip.dst == x.x.x.x
Filters packets destined for the specified IP address. Example: ip.dst == 52.86.59.179
ip.addr == x.x.x.x/n
Filters packets matching an IP address within a specific subnet range. Example: ip.addr == 192.168.0.0/24

IP Version and TTL Filters

ip.version == 4
Filters for IPv4 packets only.
ip.version == 6
Filters for IPv6 packets only.
ip.ttl < 64
Filters packets with a Time-To-Live (TTL) value less than 64. Example: Low TTL packets.
ip.proto == 6
Filters packets using a specific IP protocol number (6 is TCP). Example: TCP only.

TCP and UDP Port Filters

tcp.port == n
Filters TCP traffic where the source or destination port matches n. Example: tcp.port == 443
udp.port == n
Filters UDP traffic where the source or destination port matches n. Example: udp.port == 53
tcp.srcport == n
Filters TCP packets originating from source port n. Example: tcp.srcport == 443
tcp.dstport == n
Filters TCP packets destined for port n. Example: tcp.dstport == 443
udp.srcport == n
Filters UDP packets originating from source port n. Example: udp.srcport == 53
udp.dstport == n
Filters UDP packets destined for port n. Example: udp.dstport == 53

Filtering by TCP Flags

These filters help isolate specific stages of the TCP handshake or connection termination:

tcp.flags.syn == 1 and tcp.flags.ack == 0
Filters for SYN packets (initial connection request).
tcp.flags.syn == 1 and tcp.flags.ack == 1
Filters for SYN-ACK packets (connection acknowledgment).
tcp.flags.ack == 1
Filters for ACK packets (acknowledgment flag set).
tcp.flags.fin == 1
Filters for FIN packets (graceful connection termination).
tcp.flags.reset == 1
Filters for RST packets (abrupt connection reset).
tcp.flags.push == 1
Filters for PSH packets (data pushed immediately).
tcp.flags.urg == 1
Filters for URG packets (urgent pointer field significant).

Advanced TCP Analysis Filters

tcp.len > 0
Filters for TCP packets carrying actual data payload.
tcp.window_size_value > 10000
Filters for packets advertising a large TCP window size.
tcp.analysis.retransmission
Filters for general TCP retransmissions.
tcp.analysis.fast_retransmission
Filters for fast retransmissions.
tcp.analysis.duplicate_ack
Filters for duplicate ACKs (often indicating packet loss).
tcp.analysis.out_of_order
Filters for out-of-order packets.
tcp.analysis.lost_segment
Filters for segments identified as lost.
tcp.analysis.flags
Filters for all TCP analysis issues.

TLS and SSL Traffic Filtering

tls
Filters for all TLS/SSL packets.

Filtering by TLS Handshake Type

tls.handshake.type == 1
Filters for Client Hello messages.
tls.handshake.type == 2
Filters for Server Hello messages.
tls.handshake.type == 11
Filters for Certificate messages.
tls.handshake.type == 12
Filters for Server Key Exchange messages.
tls.handshake.type == 16
Filters for Client Key Exchange messages.
tls.handshake.type == 20
Filters for Finished messages.
tls.handshake.type == 4
Filters for New Session Ticket messages.

Filtering by TLS Record Content Type

tls.record.content_type == 20
Filters for Change Cipher Spec records.
tls.record.content_type == 21
Filters for Alert records.
tls.record.content_type == 22
Filters for Handshake records.
tls.record.content_type == 23
Filters for Application Data records.

Filtering by Server Name Indication (SNI)

tls.handshake.extensions_server_name == "hostname"
Filters traffic based on the requested server name. Example: tls.handshake.extensions_server_name == "auth.grammarly.com"

DNS Traffic Filtering

dns.flags.response == 0
Filters for DNS Queries.
dns.flags.response == 1
Filters for DNS Responses.
dns.qry.name == "domain.com"
Filters queries for a specific domain name. Example: dns.qry.name == "google.com"
dns.flags.rcode == 0
Filters for successful DNS responses (No Error).
dns.flags.rcode != 0
Filters for failed DNS queries (any error code).

Filtering by DNS Record Type

dns.a
Filters responses that contain an A record (IPv4 address mapping).
dns.aaaa
Filters responses that contain an AAAA record (IPv6 address mapping).
dns.mx
Filters responses that contain an MX record (Mail Exchange).
dns.cname
Filters responses that contain a CNAME record (Canonical Name).
dns.a == 8.8.8.8
Filters DNS responses mapping to the specific IPv4 address 8.8.8.8.

HTTP Traffic Filtering

http
Filters for all HTTP traffic (requests and responses).
http.request
Filters for all HTTP requests.
http.response
Filters for all HTTP responses.
http.request.method == "GET"
Filters for HTTP GET requests.
http.request.method == "POST"
Filters for HTTP POST requests.
http.host == "example.com"
Filters traffic destined for a specific host header. Example: http.host == "google.com"
http.user_agent contains "Mozilla"
Filters traffic based on content within the User-Agent header.
http.response.code == 200
Filters for successful HTTP responses (OK).
http.response.code == 404
Filters for HTTP Not Found responses.

DHCP and BOOTP Filtering

bootp
Filters for all DHCP/BOOTP traffic.
bootp.option.dhcp == 3
Filters for DHCP Request messages.
bootp.option.dhcp == 5
Filters for DHCP ACK messages.

ARP (Address Resolution Protocol) Filtering

arp
Filters for all ARP packets.
arp.opcode == 1
Filters for ARP Requests.
arp.opcode == 2
Filters for ARP Replies.

ICMP (Internet Control Message Protocol) Filtering

icmp.type == 8
Filters for Echo Request (Ping).
icmp.type == 0
Filters for Echo Reply.
icmp.type == 3
Filters for Destination Unreachable messages.
icmp.type == 11
Filters for Time Exceeded messages.

Frame and Ethernet Layer Filtering

frame.len > n
Filters packets based on the total frame length (in bytes). Example: frame.len > 1000
frame.time >= "YYYY-MM-DD HH:MM:SS"
Filters packets captured after a specific timestamp. Example: frame.time >= "2025-08-30 10:00:00"
eth.addr == xx:xx:xx:xx:xx:xx
Filters packets where the source or destination MAC address matches. Example: eth.addr == 00:0a:95:9d:68:16
eth.src == xx:xx:xx:xx:xx:xx
Filters packets originating from the specified source MAC address. Example: eth.src == 00:0a:95:9d:68:16
eth.dst == xx:xx:xx:xx:xx:xx
Filters packets destined for the specified MAC address. Example: eth.dst == 00:0a:95:9d:68:16

Logical Operators for Complex Filtering

Combine simple filters to create highly specific capture criteria:

  • AND: filter1 and filter2
    Requires both conditions to be true. Example: ip.addr == 192.168.0.102 and tcp.port == 443
  • OR: filter1 or filter2
    Requires at least one condition to be true. Example: dns or http
  • NOT: not filter
    Excludes packets matching the filter. Example: not arp

String Matching Techniques

Equality Match: field == "string"
Filters packets where the field exactly matches the specified string. Example: dns.qry.name == "example.com"
Substring Match: field contains "substring"
Filters packets where the field contains the specified substring. Example: http.user_agent contains "Mozilla"

Numeric Comparison Operators

Use standard comparison operators (>, <, >=, <=, ==, !=) for numeric fields:

Greater Than: field > n
Filters packets where the field value is greater than n. Example: frame.len > 500
Less Than: field < n
Filters packets where the field value is less than n. Example: ip.ttl < 32

Subnet and CIDR Matching

Filter traffic based on IP address ranges using CIDR notation:

Source Subnet: ip.src == 10.0.0.0/8
Filters all packets originating from the 10.x.x.x network range.
Destination Subnet: ip.dst == 192.168.1.0/24
Filters all packets destined for the 192.168.1.x subnet.
Karma: 17%
Visits: 0

Related entries:

Tags:
Wireshark filters TLS filtering ARP Display filters Network filtering Protocol analysis DNS filtering HTTP filtering IP filtering Network troubleshooting Packet analysis TCP/IP ICMP Port filtering