Wireshark Filters Cheat Sheet
Wireshark Filters Cheat Sheet
FILTERS
SWIPE
eth.addr == Source or destination address
eth.src == Source address
eth.dst == Destination address
eth.type == Protocol type
eth.len == Frame length
eth.trailer == Trailer data
eth.ig == Individual/Group (IG) bit
eth.lg == Local/Global (LG) bit
arp.opcode == Operation code
arp.hw.type == Hardware type
arp.hw.size == Hardware address length
arp.proto.type == Protocol type
arp.proto.size == Protocol address length
arp.src.hw_mac == Sender MAC address
arp.src.proto_ipv4 == Sender IP address
arp.dst.hw_mac == Target MAC address
arp.dst.proto_ipv4 == Target IP address
ip.version == IP version
ip.hdr_len == Header length
ip.len == Total length
ip.id == Identification
ip.ttl == Time to Live
ip.proto == Protocol
ip.src == Source IP
ip.dst == Destination IP
ip.src_host == Source host
ip.dst_host == Destination host
ip.host == Host match
ip.addr == Address match
ip.checksum == Header checksum
SWIPE
ip.checksum_good == Valid checksum
ip.checksum_bad == Invalid checksum
ip.tos == Type of Service
ip.tos.delay == Delay
ip.tos.reliability == Reliability
ip.tos.throughput == Throughput
ip.dsfield == Differentiated Services Field
ip.dsfield.dscp == DSCP
ip.dsfield.ect == ECN-Capable Transport
ip.dsfield.ce == Congestion Experienced
ip.flags == Fragmentation flags
ip.flags.df == Don't Fragment
ip.flags.mf == More Fragments
ip.flags.rb == Reserved Bit
ip.frag_offset == Fragment offset
ip.fragment == Fragment
ip.fragments == All fragments
ip.reassembled_in == Reassembled packet
ip.fragment.error == Fragment error
ip.fragment.toolongfragment == Fragment too long
ip.fragment.overlap == Fragment overlap
ipv6.version == IP version
ipv6.src == Source IP
ipv6.dst == Destination IP
ipv6.src_host == Source host
ipv6.dst_host == Destination host
ipv6.addr == Address match
ipv6.host == Host match
ipv6.plen == Payload length
ipv6.class == Traffic class
SWIPE
ipv6.flow == Flow label
ipv6.hlim == Hop limit
ipv6.nxt == Next header
ipv6.hop_opt == Hop-by-hop options
ipv6.dst_opt == Destination options
ipv6.routing_hdr == Routing header
ipv6.routing_hdr.type == Routing header type
ipv6.routing_hdr.addr == Routing addresses
ipv6.routing_hdr.left == Segments left
ipv6.fragment == Fragment
ipv6.fragments == All fragments
ipv6.reassembled_in == Reassembled packet
ipv6.fragment.error == Fragment error
ipv6.fragment.overlap.conflict == Overlap conflict
tcp.port == Port
tcp.srcport == Source port
tcp.dstport == Destination port
tcp.seq == Sequence number
tcp.ack == Acknowledgment number
tcp.nxtseq == Next sequence number
tcp.len == Segment length
tcp.hdr_len == Header length
tcp.flags == Flags
tcp.flags.syn == SYN flag
tcp.flags.ack == ACK flag
tcp.flags.fin == FIN flag
tcp.flags.push == PSH flag
tcp.options.mss == MSS option
tcp.options.sack == SACK option
tcp.options.timestamp ==Timestamp option
SWIPE
tcp.options.wscale == Window scale option
tcp.checksum == Checksum
tcp.checksum_good == Valid checksum
tcp.checksum_bad == Invalid checksum
tcp.segment == Segment
tcp.segments == Segments
tcp.reassembled_in == Reassembled packet
tcp.time_delta == Time delta
tcp.time_relative == Time relative
udp.port == Port
udp.srcport == Source port
udp.dstport == Destination port
udp.length == Datagram length
udp.checksum == Checksum
udp.checksum_good == Valid checksum
udp.checksum_bad == Invalid checksum
== or eq == Equals
!= or ne == Not equals
or gt == Greater than
< or lt == Less than
= or ge == Greater than or equal
<= or le == Less than or equal
&& or and == Logical AND
|| or or == Logical OR
! or not == Logical NOT
^^ or xor == Exclusive OR
[n] == Index operator
[...] == Substring matching
icmp.type == Message type
icmp.code == Message code
SWIPE
icmp.checksum == Checksum http.response == Response
icmp.checksum_bad == Invalid checksum http.response.code == Response code
icmp.seq == Sequence number http.server == Server
icmp.ident == Identifier http.set_cookie == Set-Cookie
icmp.mtu == Path MTU http.cookie == Cookie
icmp.redir_gw == Redirected gateway http.referer == Referer
icmpv6.type == Message type http.location == Location header
icmpv6.code == Message code
icmpv6.checksum == Checksum
icmpv6.checksum_bad == Invalid checksum
icmpv6.identifier == Identifier
icmpv6.option == Option
icmpv6.comp == Component
icmpv6.ra.cur_hop_limit == Current hop limit
icmpv6.ra.reachable_time == Reachable time
icmpv6.ra.router_lifetime == Router lifetime
icmpv6.option.cga == CGA option
icmpv6.option.rsa.key_hash == RSA key hash
icmpv6.recursive_dns_serv == Recursive DNS server
http.accept == Accept header
http.content_type == Content-Type
http.content_length == Content-Length
http.user_agent == User-Agent
http.authorization == Authorization
http.authbasic == Basic Auth
http.proxy_authorization == Proxy Authorization
http.request == Request
http.request.method == Request method
http.request.uri == Request URI
http.request.version == HTTP version
http.x_forwarded_for == X-Forwarded-For