What are the most important Wireshark filters every cybersecurity professional should learn?

Table of Contents

• What Are Wireshark Display Filters?
• Why Are These Filters Crucial for Cybersecurity?
• Top 10 Wireshark Filters Every Cybersecurity Analyst Should Know
• 1. Filter by IP Address: ip.addr == x.x.x.x
• 2. HTTP Requests: http.request
• 3. HTTPS Traffic: tcp.port == 443
• 4. DNS Queries: dns
• 5. TCP SYN Packets: tcp.flags.syn == 1 && tcp.flags.ack == 0
• 6. ARP Traffic: arp
• 7. Keyword Search in Payloads: frame contains "keyword"
• 8. TCP Retransmissions: tcp.analysis.retransmission
• 9. ICMP Packets: icmp
• 10. TLS Version Check: tls.handshake.version
• Bonus Tip: Combine Filters for Deep Analysis
• Real-World Scenario: Incident Response with Wireshark
• Conclusion
• Frequently Asked Questions (FAQs)

Looking to sharpen your network analysis skills? Mastering these 10 Wireshark filters can dramatically boost your cyber threat detection, incident response, and forensic investigations.

Wireshark is one of the most powerful open-source tools for packet analysis, but what truly makes it effective is the use of display filters. Whether you're analyzing malware communication, investigating suspicious network behavior, or monitoring enterprise traffic, these filters help you zero in on relevant data—fast.

In this blog, you'll learn about the top 10 must-know Wireshark filters used daily by cybersecurity professionals, red teams, SOC analysts, and forensic investigators.

What Are Wireshark Display Filters?

Display filters in Wireshark allow you to view only the packets you care about after capturing network traffic. Unlike capture filters (used before capturing), display filters help refine your view during analysis, making large packet dumps manageable and meaningful.

These filters are critical for:

• Detecting malicious communication

• Pinpointing attack vectors

• Tracing lateral movement

  
  

• Investigating data exfiltration

• Understanding normal vs abnormal behavior

Why Are These Filters Crucial for Cybersecurity?

In cybersecurity, time and accuracy are everything. During a breach or live incident, analysts may be sifting through millions of packets. The right filter can reveal:

• A malware beaconing pattern

• ARP spoofing activity

• Suspicious DNS tunneling

• Failed authentication attempts

• Exfiltration via uncommon protocols

Knowing these filters separates amateurs from professionals.

Top 10 Wireshark Filters Every Cybersecurity Analyst Should Know

Here are the 10 most practical Wireshark display filters with their use cases and examples.

1. Filter by IP Address: ip.addr == x.x.x.x

This is one of the most-used filters. It lets you view all traffic to or from a specific host.

Use Case:

Investigating a compromised endpoint.

Example:

ip.addr == 10.0.0.5

2. HTTP Requests: http.request

Focus on all HTTP communication, which often reveals suspicious data exfiltration or command and control activity.

Use Case:

Monitoring malware that communicates with its server using HTTP POST.

3. HTTPS Traffic: tcp.port == 443

Filters all packets using port 443, typically encrypted HTTPS traffic.

Use Case:

Tracking suspicious encrypted traffic destinations.

4. DNS Queries: dns

DNS is often used for tunneling or command-and-control. This filter shows all DNS requests and responses.

Use Case:

Detect if malware is using DNS to communicate with external servers.

5. TCP SYN Packets: tcp.flags.syn == 1 && tcp.flags.ack == 0

This identifies initial SYN packets, common in scanning or attack reconnaissance.

Use Case:

Spot network scans using Nmap or similar tools.

6. ARP Traffic: arp

ARP packets help detect man-in-the-middle attacks and ARP poisoning in local networks.

Use Case:

Identifying an attacker trying to spoof an IP address on the LAN.

7. Keyword Search in Payloads: frame contains "keyword"

This powerful filter searches the packet payload for specific strings.

Example:

frame contains "password"

Use Case:

Check for sensitive data being transmitted in cleartext.

8. TCP Retransmissions: tcp.analysis.retransmission

Shows repeated TCP segments, which can point to network instability or intentional disruption (like DoS).

9. ICMP Packets: icmp

ICMP traffic can be used for ping sweeps, covert channels, or ICMP tunneling.

Use Case:

Identify attackers mapping the network via ICMP echo requests.

10. TLS Version Check: tls.handshake.version

Displays the version of SSL/TLS used during the handshake. You can detect insecure or outdated encryption here.

Example:

tls.handshake.version == 0x0301

(0x0301 = TLS 1.0, which is insecure)

Bonus Tip: Combine Filters for Deep Analysis

You can use logical operators to build advanced filters:

• and

• or

• not

Example:

ip.addr == 10.0.0.1 and tcp.port == 80 and frame contains "admin"

This filter helps identify HTTP traffic from a specific host containing login attempts.

Real-World Scenario: Incident Response with Wireshark

Incident: Unusual outbound traffic is detected at midnight.

Filters used:

1. ip.addr == 192.168.1.105

2. http.request.method == "POST"

3. dns.qry.name contains "xyz"

The analyst isolates an infected host exfiltrating data via HTTP POST and DNS tunneling to suspicious domains.

Conclusion: Master Filtering to Master Wireshark

Wireshark is only as effective as the filters you know. With these 10 essential Wireshark filters, you can:

• Analyze attacks faster

• Filter noise from signal

• Perform forensic analysis more efficiently

• Investigate C2 traffic, ARP spoofing, DNS abuse, and SSL issues

Every cybersecurity pro should have these filters ready in their toolkit.

FAQ 

What is Wireshark used for in cybersecurity?

Wireshark is used to capture and analyze network packets in real-time to detect threats, troubleshoot issues, and investigate cyberattacks.

What are Wireshark display filters?

Display filters are used to narrow down the view of captured packets in Wireshark, making it easier to focus on specific traffic.

How does ip.addr == x.x.x.x filter work?

It shows all packets to or from a specific IP address, useful for tracking host communication.

What does the http.request filter show?

It displays only HTTP requests like GET and POST, often used in malware analysis.

How can I filter HTTPS traffic in Wireshark?

Use tcp.port == 443 to view all encrypted HTTPS packets.

Why is the dns filter important in cybersecurity?

It helps identify DNS queries, which may be used for tunneling or C2 communications.

What is the filter for detecting SYN scans?

Use tcp.flags.syn == 1 && tcp.flags.ack == 0 to catch SYN packets used in scans.

How do I detect ARP spoofing in Wireshark?

Use the arp filter to view all Address Resolution Protocol traffic.

Can Wireshark detect password leaks?

Yes, using frame contains "password" may reveal plaintext credentials in traffic.

What is the purpose of tcp.analysis.retransmission?

It shows retransmitted packets that can indicate connection issues or potential DoS attacks.

How do I filter ICMP traffic in Wireshark?

Use icmp to view ping sweeps and echo requests.

How to detect outdated TLS versions in Wireshark?

Use tls.handshake.version to see which SSL/TLS version is being used.

Can Wireshark identify DNS tunneling?

Yes, DNS tunneling can be detected by analyzing unusual DNS patterns using the dns filter.

What filter shows TCP handshakes?

Use a combination of SYN and ACK flag filters like tcp.flags.syn == 1 && tcp.flags.ack == 1.

How to filter traffic from a specific subnet?

Use ip.addr with a subnet mask like ip.addr >= 192.168.0.0 and ip.addr <= 192.168.0.255.

What filter helps detect command and control traffic?

Filters like http.request, dns, and tls.handshake.version help detect C2 traffic.

What is the filter to find large file downloads?

Use http.content_length to identify large data transfers.

How can I identify port scanning activity?

Use a combination of SYN filter and port filters to trace multiple scan attempts.

What is the difference between capture and display filters?

Capture filters work before packet capture; display filters refine what you see after capturing.

What filter shows all traffic except DNS?

Use !dns to exclude DNS packets from the display.

How do I find login attempts in Wireshark?

Use filters like http.request.method == "POST" and search for keywords using frame contains.

How to analyze TLS handshake in Wireshark?

Use tls.handshake or tls.handshake.version filters to inspect SSL/TLS setup.

What filter helps detect MITM attacks?

The arp filter combined with unexpected MAC addresses can reveal MITM attempts.

Can Wireshark analyze encrypted traffic?

Yes, it can analyze metadata like IPs, ports, and TLS versions, even if payloads are encrypted.

What’s a good filter to analyze malware traffic?

Use a combination of dns, http.request, and ip.addr filters to trace suspicious patterns.

How to search for specific keywords in packets?

Use frame contains "keyword" to look for strings like usernames or secrets.

What is the best way to filter FTP traffic?

Use tcp.port == 21 to view FTP control traffic.

How to find retransmissions during a DDoS attack?

Use tcp.analysis.retransmission to spot flooded or failed connections.

Is there a filter for SSH traffic?

Yes, use tcp.port == 22 to isolate SSH sessions.

How to use multiple filters together in Wireshark?

Combine filters using logical operators like and, or, and not.

Where can I learn more about advanced Wireshark filters?

Wireshark’s official documentation and cybersecurity blogs are great resources for deep dives.