Wireshark
Is the world’s foremost and widely-used network protocol analyzer.
Installation
sudo apt install wireshark
Usage
wireshark [options] ... [ <infile> ]
Flags
Capture interface:
-i <interface> name or idx of interface (def: first non-loopback)
-f <capture filter> packet filter in libpcap filter syntax
-s <snaplen> packet snapshot length (def: appropriate maximum)
-p don't capture in promiscuous mode
-k start capturing immediately (def: do nothing)
-S update packet display when new packets are captured
-l turn on automatic scrolling while -S is in use
-I capture in monitor mode, if available
-B <buffer size> size of kernel buffer (def: 2MB)
-y <link type> link layer type (def: first appropriate)
--time-stamp-type <type> timestamp method for interface
-D print list of interfaces and exit
-L print list of link-layer types of iface and exit
--list-time-stamp-types print list of timestamp types for iface and exit
Capture stop conditions:
-c <packet count> stop after n packets (def: infinite)
-a <autostop cond.> ... duration:NUM - stop after NUM seconds
filesize:NUM - stop this file after NUM KB
files:NUM - stop after NUM files
Capture output:
-b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs
filesize:NUM - switch to next file after NUM KB
files:NUM - ringbuffer: replace after NUM files
Input file:
-r <infile> set the filename to read from (no pipes or stdin!)
Processing:
-R <read filter> packet filter in Wireshark display filter syntax
-n disable all name resolutions (def: all enabled)
-N <name resolve flags> enable specific name resolution(s): "mnNtdv"
-d <layer_type>==<selector>,<decode_as_protocol> ...
"Decode As", see the man page for details
Example: tcp.port==8888,http
--enable-protocol <proto_name>
enable dissection of proto_name
--disable-protocol <proto_name>
disable dissection of proto_name
--enable-heuristic <short_name>
enable dissection of heuristic protocol
--disable-heuristic <short_name>
disable dissection of heuristic protocol
User interface:
-C <config profile> start with specified configuration profile
-Y <display filter> start with the given display filter
-g <packet number> go to specified packet number after "-r"
-J <jump filter> jump to the first packet matching the (display)
filter
-j search backwards for a matching packet after "-J"
-m <font> set the font name used for most text
-t a|ad|d|dd|e|r|u|ud output format of time stamps (def: r: rel. to first)
-u s|hms output format of seconds (def: s: seconds)
-X <key>:<value> eXtension options, see man page for details
-z <statistics> show various statistics, see man page for details
Output:
-w <outfile|-> set the output filename (or '-' for stdout)
Miscellaneous:
-h display this help and exit
-v display version info and exit
-P <key>:<path> persconf:path - personal configuration files
persdata:path - personal data files
-o <name>:<value> ... override preference or recent setting
-K <keytab> keytab file to use for kerberos decryption
--display=DISPLAY X display to use
--fullscreen start Wireshark in full screen
Cheat Sheet
Common Filtering Commands
| USAGE |
FILTER SYNTAX |
| Wireshark Filter by IP |
ip.add == 10.10.50.1 |
| Filter by Destination IP |
ip.dest == 10.10.50.1 |
| Filter by Source IP |
ip.src == 10.10.50.1 |
| Filter by IP range |
ip.addr >= 10.10.50.1 and ip.addr <=10.10.50.100 |
| Filter by Multiple Ips |
ip.addr == 10.10.50.1 and ip.addr == 10.10.50.100 |
| Filter out IP adress |
! (ip.addr == 10.10.50.1) |
| Filter subnet |
ip.addr == 10.10.50.1/24 |
| Filter by port |
tcp.port == 25 |
| Filter by destination port |
tcp.dstport == 23 |
| Filter by ip adress and port |
ip.addr == 10.10.50.1 and Tcp.port == 25 |
| Filter by URL |
http.host == “host name” |
| Filter by time stamp |
frame.time >= “June 02, 2019 18:04:00” |
| Filter SYN flag |
Tcp.flags.syn == 1 and tcp.flags.ack ==0 |
| Wireshark Beacon Filter |
wlan.fc.type_subtype = 0x08 |
| Wireshark broadcast filter |
eth.dst == ff:ff:ff:ff:ff:ff |
| Wireshark multicast filter |
(eth.dst[0] & 1) |
| Host name filter |
ip.host = hostname |
| MAC address filter |
eth.addr == 00:70:f4:23:18:c4 |
| RST flag filter |
tcp.flag.reset == 1 |
Default Columns In a Packet Capture Output
| NAME |
DESCRIPTION |
| No. |
Frame number from the beginning of the packet capture |
| Time |
Seconds from the first frame |
| Source (src) |
Source address, commonly an IPv4, IPv6 or Ethernet address |
| Destination (dst) |
Destination address |
| Protocol |
Protocol used in the Ethernet frame, IP packet, or TC segment |
| Length |
Length of the frame in bytes |
Logical Operators
| OPERATOR |
DESCRIPTION |
EXAMPLE |
| and or && |
Logical AND |
All the conditions should match |
| or or || |
Logical OR |
Either all or one of the conditions should match |
| xor or ^^ |
Logical XOR |
Exclusive alterations – only one of the two conditions should match not both |
| not or ! |
Not (Negation) |
Not equal to |
| [ n ] [ … ] |
Substring operator |
Filter a specific word or text |
Filtering Packets (Display Filters)
| OPERATOR |
DESCRIPTION |
EXAMPLE |
| eq or == |
Equal |
ip.dest == 192.168.1.1 |
| ne or != |
Not equal |
ip.dest != 192.168.1.1 |
| gt or > |
Greater than |
frame.len > 10 |
| it or < |
less than |
frame.len < 10 |
| ge or >= |
Greater than or equal |
frame.len >= 10 |
| le or <= |
Less than or equal |
frame.len <= 10 |
Filter Types
| NAME |
DESCRIPTION |
| Capture filter |
Filter packets during capture |
| Display filter |
Hide packets from a capture display |
Wireshark Capturing Modes
| NAME |
DESCRIPTION |
| Promiscuous mode |
Sets interface to capture all packets on a network segment to which it is associated to |
| Monitor mode |
Setup the wireless interface to capture all traffic it can receive (Unix/ Linux only) |
Miscellaneous
| NAME |
DESCRIPTION |
| Slice Operator |
[ … ] – Range of values |
| Membership Operator |
{} – In |
| CTRL+E |
Start/Stop Capturing |
Capture Filter Syntax
| SYNTAX |
PROTOCOL |
DIRECTION |
HOSTS |
VALUE |
LOGICAL OPERATOR |
EXPRESSIONS |
| Example |
tcp |
src |
192.168.1.1 |
80 |
and |
tcp dst 202.164.30.1 |
Display Filter Syntax
| SYNTAX |
PROTOCOL |
STRING 1 |
STRING 2 |
COMPARISON OPERATOR |
VALUE |
LOGICAL OPERATOR |
EXPRESSIONS |
| Example |
http |
dest |
ip |
== |
192.168.1.1 |
and |
tcp port |
Keyboard Shortcuts – Main Display Window
| ACCELERATOR |
DESCRIPTION |
ACCELERATOR |
DESCRIPTION |
| Tab or Shift+Tab |
Move between screen elements, e.g. from the toolbars to the packet list to the packet detail. |
Alt+→ or Option→ |
Move to the next packet in the selection history. |
| ↓ |
Move to the next packet or detail item. |
→ |
In the packet detail, opens the selected tree item. |
| ↑ |
Move to the previous packet or detail item. |
Shift+→ |
In the packet detail, opens the selected tree items and all of its subtrees. |
| Ctrl+ ↓ or F8 |
Move to the next packet, even if the packet list isn’t focused. |
Ctrl+→ |
In the packet detail, opens all tree items. |
| Ctrl+ ↑ Or F7 |
Move to the previous packet, even if the packet list isn’t focused |
Ctrl+← |
In the packet detail, closes all the tree |
| Ctrl+. |
Move to the next packet of the conversation (TCP, UDP or IP). |
Backspace |
In the packet detail, jumps to the parent node. |
| Ctrl+, |
Move to the previous packet of the conversation (TCP, UDP or IP). |
Return or Enter |
In the packet detail, toggles the selected tree item. |
Examples
Filter IPs from PCAP
Command to extract IPs from captured PCAP-file.
$ tcpdump -r capture.pcapng 'ip' -n | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | sort -u
reading from file capture.pcapng, link-type EN10MB (Ethernet)
0.0.0.0
10.30.100.204
104.26.10.153
13.107.18.11
140.82.112.26
140.82.121.4
URL List