Wireshark Cheat Sheet: Essential Guide for Network Analysis

Wireshark is the world’s most popular network protocol analyzer, used by network administrators, security professionals, and developers for troubleshooting, analysis, and education. This comprehensive cheat sheet covers the most important commands, filters, and techniques you’ll need for effective network analysis.

Getting Started

What is Wireshark? Wireshark is a free, open-source packet analyzer that captures and displays network traffic in real-time. It supports hundreds of protocols and provides deep inspection of network communications.

Key Interface Elements:

• Packet List Pane: Shows captured packets in chronological order
• Packet Details Pane: Displays protocol layers of selected packet
• Packet Bytes Pane: Shows raw hexadecimal and ASCII data
• Display Filter Bar: Apply filters to show specific traffic
• Capture Filter Bar: Filter traffic during capture

Essential Display Filters

Display filters help you focus on specific traffic after capture has begun or completed.

Basic Protocol Filters

http                    # HTTP traffic only
https                   # HTTPS traffic only
tcp                     # TCP packets only
udp                     # UDP packets only
dns                     # DNS queries and responses
ftp                     # FTP traffic
ssh                     # SSH connections
telnet                  # Telnet sessions

IP Address Filters

ip.addr == 192.168.1.1          # Traffic to/from specific IP
ip.src == 192.168.1.1           # Traffic from specific source IP
ip.dst == 192.168.1.1           # Traffic to specific destination IP
ip.addr == 192.168.1.0/24       # Traffic within subnet

Port-Based Filters

tcp.port == 80                  # HTTP traffic (port 80)
tcp.port == 443                 # HTTPS traffic (port 443)
tcp.port == 22                  # SSH traffic (port 22)
udp.port == 53                  # DNS traffic (port 53)
tcp.srcport == 80               # Traffic from source port 80
tcp.dstport == 443              # Traffic to destination port 443

Advanced Filters

tcp.flags.reset == 1            # TCP reset packets
tcp.flags.syn == 1              # TCP SYN packets
tcp.analysis.retransmission     # TCP retransmissions
tcp.analysis.duplicate_ack      # Duplicate ACK packets
frame.len > 1000                # Packets larger than 1000 bytes

Capture Filters

Capture filters are applied before packets are captured, reducing file size and improving performance.

Basic Capture Filters

host 192.168.1.1               # Capture traffic to/from specific host
net 192.168.1.0/24             # Capture traffic within subnet
port 80                        # Capture traffic on port 80
not port 22                    # Exclude SSH traffic
tcp port 443                   # HTTPS traffic only
udp port 53                    # DNS traffic only

Complex Capture Filters

host 192.168.1.1 and port 80   # HTTP traffic to/from specific host
port 80 or port 443            # HTTP and HTTPS traffic
not (port 22 or port 23)       # Exclude SSH and Telnet
tcp[13] & 2 != 0               # TCP SYN packets only
greater 100                    # Packets larger than 100 bytes

Common Analysis Techniques

Following Streams

• TCP Stream: Right-click packet → Follow → TCP Stream
• UDP Stream: Right-click packet → Follow → UDP Stream
• HTTP Stream: Right-click packet → Follow → HTTP Stream

Statistics and Analysis

• Protocol Hierarchy: Statistics → Protocol Hierarchy
• Conversations: Statistics → Conversations
• Endpoints: Statistics → Endpoints
• I/O Graph: Statistics → I/O Graph
• Expert Information: Analyze → Expert Information

Time-Related Filters

frame.time >= "2024-01-01 00:00:00"    # Packets after specific time
frame.time_relative > 10               # Packets after 10 seconds into capture
frame.time_delta > 1                   # Packets with >1 second gap from previous

HTTP/HTTPS Analysis

HTTP-Specific Filters

http.request.method == "GET"           # HTTP GET requests
http.request.method == "POST"          # HTTP POST requests
http.response.code == 200              # HTTP 200 OK responses
http.response.code >= 400              # HTTP error responses
http.host contains "example.com"       # Requests to specific domain
http.user_agent contains "Chrome"      # Specific user agent

Common HTTP Status Codes

http.response.code == 200              # OK
http.response.code == 301              # Moved Permanently
http.response.code == 404              # Not Found
http.response.code == 500              # Internal Server Error

Security Analysis Filters

Suspicious Activity

tcp.flags.reset == 1                   # Connection resets
tcp.analysis.retransmission            # Possible network issues
tcp.analysis.zero_window               # Flow control issues
icmp.type == 3                        # ICMP unreachable messages
arp.opcode == 2                        # ARP replies (potential ARP spoofing)

Malware Analysis

http.request.method == "POST" and 
http.content_type contains "application/x-www-form-urlencoded"
                                       # Form submissions
dns.qry.name contains ".exe"           # DNS queries for executables
http contains "cmd.exe"                # Potential command execution

Keyboard Shortcuts

Navigation

• Ctrl + F: Find packet
• Ctrl + G: Go to packet number
• F3: Find next
• Ctrl + →: Next packet
• Ctrl + ←: Previous packet

View Controls

• Ctrl + +: Zoom in
• Ctrl + –: Zoom out
• Ctrl + 0: Reset zoom
• Ctrl + E: Expand all
• Ctrl + Shift + E: Collapse all

Capture Controls

• Ctrl + K: Start capture
• Ctrl + E: Stop capture
• F5: Refresh
• Ctrl + R: Restart capture

Expert Tips

Colorization Rules

Create custom coloring rules to highlight important traffic:

• View → Coloring Rules
• Use colors to identify different protocols or suspicious activity
• Default colors: TCP (light blue), UDP (light yellow), HTTP (green)

Performance Optimization

• Use capture filters to reduce file size
• Limit capture duration for large networks
• Use ring buffer for continuous capture
• Disable unused protocol dissectors

Troubleshooting Network Issues

1. High Latency: Look for large time deltas between request/response
2. Packet Loss: Check for retransmissions and duplicate ACKs
3. Connection Issues: Examine TCP handshake and reset packets
4. DNS Problems: Filter for DNS errors and slow responses

Export Options

• File → Export → Objects → HTTP: Extract web content
• File → Export → Packet Dissections: Save analysis results
• File → Export → Selected Packets: Save subset of capture

Quick Reference Commands

Display Filter Operators

==          Equal
!=          Not equal
>           Greater than
<           Less than
>=          Greater than or equal
<=          Less than or equal
contains    Contains substring
matches     Matches regular expression
&&          Logical AND
||          Logical OR
!           Logical NOT

Useful Field Names

frame.number            # Packet number
frame.time              # Timestamp
frame.len               # Packet length
eth.src                 # Source MAC address
eth.dst                 # Destination MAC address
ip.proto                # IP protocol number
tcp.stream              # TCP stream index
tcp.len                 # TCP payload length

Conclusion

Wireshark is an incredibly powerful tool for network analysis, but mastering it requires practice and understanding of network protocols. This cheat sheet covers the most commonly used features and filters. Remember to always capture network traffic ethically and in compliance with your organization’s policies and applicable laws.

Additional Resources:

• Official Wireshark Documentation: https://www.wireshark.org/docs/
• Sample Capture Files: https://wiki.wireshark.org/SampleCaptures
• Display Filter Reference: https://www.wireshark.org/docs/dfref/