Wireshark is one of the most popular and powerful tools for capturing, analyzing, and troubleshooting network traffic.
Whether you are a network administrator , security professional , or just someone curious about how networks work, learning Wireshark is a valuable skill.
This cheat sheet serves as a quick reference for filters, commands, shortcuts, and syntax.
Name Description
No. Frame number from the beginning of the packet capture Time Seconds from the first frame Source (src) Source address (IPv4, IPv6, or Ethernet) Destination (dst) Destination address Protocol Protocol in Ethernet/IP/TCP segment Length Frame length in bytes
Operator Description Example
and / &&Logical AND All conditions must match or / `` Logical OR At least one condition matches xor / ^^Logical XOR Only one of two conditions matches not / !Negation Exclude packets [n] [ ... ]Substring operator Match specific text
Operator Description Example
eq / ==Equal ip.dest == 192.168.1.1ne / !=Not equal ip.dest != 192.168.1.1gt / >Greater than frame.len > 10lt / <Less than frame.len < 10ge / >=Greater or equal frame.len >= 10le / <=Less or equal frame.len <= 10
Name Description
Capture filter Applied during capture Display filter Applied to hide/show after capture
Mode Description
Promiscuous mode Capture all packets on the segment Monitor mode Capture all wireless traffic (Linux/Unix only)
Slice Operator β [ ... ] (range)Membership Operator β {} (in)Ctrl+E β Start/Stop capturing
Example:
tcp src 192.168.1.1 and tcp dst 202.164.30.1
Example:
http and ip.dst == 192.168.1.1 and tcp.port
Shortcut Action
Tab / Shift+TabMove between UI elements β / βMove between packets/details Ctrl+β / F8Next packet (even if unfocused) Ctrl+β / F7Previous packet Ctrl+.Next packet in conversation Ctrl+,Previous packet in conversation Return / EnterToggle tree item BackspaceJump to parent node
ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp, udp
Usage Syntax
Filter by IP ip.addr == 10.10.50.1Destination IP ip.dest == 10.10.50.1Source IP ip.src == 10.10.50.1IP range ip.addr >= 10.10.50.1 and ip.addr <= 10.10.50.100Multiple IPs ip.addr == 10.10.50.1 and ip.addr == 10.10.50.100Exclude IP !(ip.addr == 10.10.50.1)Subnet ip.addr == 10.10.50.1/24Port tcp.port == 25Destination port tcp.dstport == 23IP + Port ip.addr == 10.10.50.1 and tcp.port == 25URL http.host == "hostname"Time frame.time >= "June 02, 2019 18:04:00"SYN flag tcp.flags.syn == 1 and tcp.flags.ack == 0Beacon frames wlan.fc.type_subtype == 0x08Broadcast eth.dst == ff:ff:ff:ff:ff:ffMulticast (eth.dst[0] & 1)Hostname ip.host == hostnameMAC address eth.addr == 00:70:f4:23:18:c4RST flag tcp.flag.reset == 1
Icon Item Menu Description
βΆοΈ Start Capture β Start Begin capture βΉοΈ Stop Capture β Stop Stop capture π Restart Capture β Restart Restart session βοΈ Options Capture β Optionsβ¦ Capture options dialog π Open File β Openβ¦ Load capture file πΎ Save As File β Save Asβ¦ Save capture file β Close File β Close Close current capture π Reload View β Reload Reload capture file π Find Packet Edit β Find Packetβ¦ Search packets βͺ Go Back Go β Back Jump back in history β© Go Forward Go β Forward Jump forward π Go to Packet Go β Packet Jump to specific packet β©οΈ First Packet Go β First Packet Jump to first packet βͺοΈ Last Packet Go β Last Packet Jump to last packet π Auto Scroll View β Auto Scroll Scroll live capture π¨ Colorize View β Colorize Colorize packet list π Zoom In/Out View β Zoom In/Out Adjust zoom level π² Normal Size View β Normal Size Reset zoom π Resize Columns View β Resize Columns Fit column width
Wireshark is an incredibly powerful tool for analyzing and troubleshooting network traffic.
This cheat sheet gives you commands, filters, and shortcuts to navigate Wireshark efficiently and quickly.