Mastering Wireshark Filters | The Ultimate 2025 Guide for Cybersecurity Professionals, SOC Analysts & Ethical Hackers
In 2025, mastering Wireshark display filters is more critical than ever for anyone in cybersecurity, network forensics, or ethical hacking. This blog is a comprehensive and practical guide to Wireshark filters — covering basic to advanced commands, real-world SOC analyst scenarios, and troubleshooting hacks. From TCP flags and ICMP errors to filtering HTTP GETs, DNS queries, TLS handshakes, and custom MAC/IP filters, this guide helps you analyze packets with precision. Whether you're a student, intern, or working pro, this resource will fast-track your ability to navigate traffic chaos and extract meaningful insights using Wireshark in 2025.
Table of Contents
- What Is Wireshark?
- Why Use Display Filters?
- Top Wireshark Filters and What They Do
- Real-World Use Cases for Wireshark Filters
- Tips for Wireshark Efficiency
- Additional Filter Categories You Should Explore
- Who Should Learn Wireshark Filters?
- Conclusion
- Frequently Asked Questions (FAQs)
In the world of cybersecurity, Wireshark is one of the most powerful and widely used tools for network traffic analysis. Whether you're a SOC Analyst, ethical hacker, or network administrator, learning how to use Wireshark filters effectively can help you detect threats, troubleshoot connectivity issues, and understand how devices communicate.
This guide will walk you through Wireshark display filters — what they are, how they work, and the most useful filters you need to know in 2025.
What Is Wireshark?
Wireshark is a free, open-source packet analyzer used for real-time traffic monitoring. It captures data packets transmitted over a network and allows you to dissect them to understand protocols, detect anomalies, and inspect the contents.
Why Use Display Filters?
Wireshark can collect millions of packets, but you're rarely interested in all of them. That’s where display filters come in — they let you narrow down traffic by IP, protocol, port, flags, or packet content so that you can focus only on what matters.
Top Wireshark Filters and What They Do
Here's a breakdown of commonly used Wireshark filters, along with their descriptions:
| Filter | Description |
|---|---|
ip.addr == 10.0.0.0/24 |
Show all traffic to/from any IP in the 10.0.0.0/24 subnet |
ip.addr == 10.0.0.1 |
Show all packets where 10.0.0.1 is either the source or destination |
!(ip.addr == 10.0.0.1) |
Exclude all traffic involving 10.0.0.1 |
icmp.type == 3 |
Show ICMP “destination unreachable” packets |
tcp or udp |
Show only TCP or UDP packets |
tcp.port == 80 |
Filter traffic with destination port 80 (HTTP) |
tcp.srcport < 1000 |
Show TCP packets with source port less than 1000 |
http or dns |
Display only HTTP and DNS traffic |
tcp.flags.syn == 1 |
Display only TCP packets where the SYN flag is set |
tcp.flags == 0x12 |
Show packets with both SYN and ACK flags (common in 3-way handshakes) |
tcp.analysis.retransmission |
Show all retransmitted TCP packets |
http.request.method == "GET" |
Display HTTP GET requests |
http.response.code == 404 |
Show HTTP 404 Not Found responses |
http.host == "www.abc.com" |
Filter HTTP traffic from/to www.abc.com |
tls.handshake |
Show only TLS handshake packets |
tls.handshake.type == 1 |
Filter Client Hello packets in TLS handshakes |
dns.resp.name == cnn.com |
Show DNS responses for queries related to cnn.com |
frame contains keyword |
Search for packets that contain a specific keyword (e.g., "login") |
frame.len > 1000 |
Filter packets where the total length is greater than 1000 bytes |
ip.addr == 10.0.0.0/24 |
Focus on packets within the 10.0.0.0/24 network |
dhcp |
Show DHCP-related traffic |
dhcp.hw.mac_addr == 00:11:22:33:44:55 |
Show DHCP traffic from a specific MAC address |
ip.src == 10.0.0.1 && ip.dst == 10.0.0.2 |
Show packets from 10.0.0.1 to 10.0.0.2 |
Real-World Use Cases for Wireshark Filters
Security Monitoring
SOC analysts use filters like tcp.analysis.retransmission or icmp.type == 3 to detect unusual packet behavior that may signal a scan or attack.
Troubleshooting
Network engineers rely on tcp.flags.syn == 1 to verify connection initiation or http.response.code == 404 to troubleshoot broken web links.
DNS or Web Debugging
Filters like dns.resp.name == domain.com and http.request.method == "GET" help diagnose failed DNS resolutions or monitor HTTP behavior.
Tips for Wireshark Efficiency
-
Use auto-completion by pressing Ctrl + Space while typing a filter.
-
Combine multiple filters using AND (
&&) or OR (||). -
Use parentheses to group logical conditions.
-
Apply color filters to visually highlight specific traffic.
Additional Filter Categories You Should Explore
| Category | Examples |
|---|---|
| IP Filters | ip.src, ip.dst, ip.addr |
| TCP/UDP | tcp.port, udp.port, tcp.flags, tcp.seq |
| Protocol-Specific | http, dns, ftp, icmp, tls, smtp, ldap, voip |
| MAC/DHCP | eth.addr, dhcp.hw.mac_addr |
| Application | frame contains password, http.user_agent contains "curl" |
Who Should Learn Wireshark Filters?
-
Cybersecurity students & interns
-
Network administrators
-
Penetration testers
-
SOC analysts
-
Bug bounty hunters
Conclusion
Wireshark filters help transform overwhelming network traffic into readable, actionable data. Whether you're performing a malware analysis, troubleshooting a DNS issue, or detecting unauthorized access, mastering filters makes you significantly more effective.
In the era of increasing cyber threats, every professional should understand how to filter the noise — and Wireshark is the perfect tool for that.
FAQs
What is Wireshark used for?
Wireshark is a network protocol analyzer used to capture, inspect, and analyze network traffic in real time.
What are Wireshark display filters?
Display filters are expressions used in Wireshark to narrow down the packet view to specific protocols, IPs, ports, flags, or content.
How do you filter by IP address in Wireshark?
Use ip.addr == x.x.x.x to filter by a specific IP address.
How do I filter by TCP port in Wireshark?
Use tcp.port == 80 for port 80 (HTTP), or change the number to your target port.
What does tcp.flags.syn == 1 mean?
It filters TCP packets where the SYN flag is set, often used to identify connection initiation.
How do I filter HTTPS traffic in Wireshark?
Use tls or ssl (older versions) to display TLS/SSL-encrypted traffic.
What is the difference between capture filter and display filter in Wireshark?
Capture filters are applied before data is collected; display filters are used to analyze the captured data afterward.
How do I find 404 errors in Wireshark?
Use http.response.code == 404 to filter HTTP 404 Not Found responses.
Can I filter packets by DNS queries?
Yes, use dns or dns.qry.name == "example.com" to focus on DNS traffic.
How can I filter packets from a specific MAC address?
Use eth.addr == aa:bb:cc:dd:ee:ff.
How do I view retransmitted packets?
Use tcp.analysis.retransmission to view only retransmitted TCP segments.
What is the filter for GET requests in Wireshark?
Use http.request.method == "GET".
How to find TLS handshakes in Wireshark?
Use tls.handshake or tls.handshake.type == 1 for Client Hello.
Can I use wildcards in Wireshark filters?
No, Wireshark does not support wildcards; use logical operators instead.
How do I filter all HTTP traffic?
Use http as the display filter.
How do I show only packets with both SYN and ACK flags set?
Use tcp.flags == 0x12.
How do I filter by packet length?
Use frame.len > 1000 to show packets larger than 1000 bytes.
Can I filter by hostname?
Yes, use http.host == "example.com" to filter by HTTP Host field.
How to search packets by content?
Use frame contains "keyword" to search inside packets.
Is Wireshark safe to use on live networks?
Yes, but be cautious when capturing sensitive data on shared or production networks.
What is icmp.type == 3 used for?
It filters ICMP Destination Unreachable packets.
How do I see only DNS responses?
Use dns.flags.response == 1.
How do I export filtered packets?
Use File > Export Specified Packets after applying your filter.
Can Wireshark analyze VoIP traffic?
Yes, use filters like rtp, sip, and h323 for VoIP analysis.
How can I filter traffic from one IP to another?
Use ip.src == x.x.x.x && ip.dst == y.y.y.y.
Does Wireshark support color filters?
Yes, color filters help visually distinguish types of packets but don’t change the data.
How do I save my filters for future use?
Go to Analyze > Display Filters > Save.
What protocols can Wireshark analyze?
It supports hundreds, including TCP, UDP, ICMP, DNS, HTTP, FTP, TLS, SMB, and more.
Can I use multiple filters together?
Yes, combine them using &&, ||, and parentheses.
What is the shortcut to apply a filter in Wireshark?
Press Enter after typing the filter in the top bar.
Is Wireshark suitable for beginners?
Yes, especially with visual interfaces and powerful filtering support, it’s ideal for learning packet analysis.
![Top 10 Ethical Hackers in the World [2025]](https://www.webasha.com/blog/uploads/images/202408/image_100x75_66c2f983c207b.webp)
![[2025] Top 100+ VAPT Interview Questions and Answers](https://www.webasha.com/blog/uploads/images/image_100x75_6512b1e4b64f7.jpg)
