Catalog / Wireshark Cheat Sheet
Wireshark Cheat Sheet
A comprehensive cheat sheet for using Wireshark, covering essential features, filters, and techniques for network analysis and security monitoring.
Wireshark Basics
Getting Started
Purpose: Wireshark is a network protocol analyzer that captures and analyzes network traffic in real-time. Download: Get it from www.wireshark.org. |
Interface: Familiarize yourself with the main window, including the capture filter bar, packet list pane, packet details pane, and packet bytes pane. |
Capture Interface: Select the correct network interface from the capture options to start capturing traffic. |
Capture Filters: Use capture filters to limit the traffic captured to only what you need (e.g., |
Stop Capture: Use the stop button (red square) to halt the packet capture process. |
Save Capture: Save captured packets in a |
Common Interface Elements
Packet List Pane: |
Displays a summary of each captured packet. |
Packet Details Pane: |
Shows detailed information about the selected packet’s protocol layers and fields. |
Packet Bytes Pane: |
Displays the raw data of the packet in hexadecimal and ASCII format. |
Filter Toolbar: |
Allows you to apply display filters to focus on specific traffic. |
Statistics Menu: |
Provides various statistical summaries of the captured traffic. |
Go Menu: |
Allows navigation of captured packets. |
Display Filters
Basic Filters
|
|
|
|
|
|
Advanced Filters
|
|
|
|
|
|
Filter Operators
|
Equal to |
|
Not equal to |
|
Greater than |
|
Less than |
|
Greater than or equal to |
|
Less than or equal to |
Capture Filters (BPF)
Basic Syntax
Capture filters use Berkeley Packet Filter (BPF) syntax and are applied before traffic is captured. |
|
|
|
|
|
Combining Filters
|
Combine filters, both conditions must be true. |
|
Combine filters, either condition can be true. |
|
Negate a filter. |
|
Capture traffic to/from 192.168.1.1 on port 80. |
|
Capture traffic on the 10.0.0.0/24 network or port 53. |
|
Capture everything except ARP traffic. |
Advanced Features
Following Streams
Follow TCP Stream: Right-click on a TCP packet and select “Follow” -> “TCP Stream” to see the entire conversation. |
Follow UDP Stream: Similar to TCP, but for UDP packets. |
This is useful for reassembling data transmitted over a connection, such as HTTP requests and responses. |
Analyzing Statistics
Statistics Menu: Use the Statistics menu to generate reports on captured traffic. |
Conversations: Analyze traffic between different endpoints. |
Endpoints: Show a list of all endpoints in the capture. |
Protocol Hierarchy: See the distribution of traffic by protocol. |
IO Graphs: Visualize traffic patterns over time. |
Security Analysis
Detecting Anomalies: Look for unusual traffic patterns, large packet sizes, or connections to unknown hosts. |
Identifying Malware: Examine traffic for known malware signatures or communication patterns. |
Analyzing Encrypted Traffic: While you can’t see the content, you can analyze the metadata (IP addresses, ports, TLS versions) of encrypted traffic. |
VLAN Tagging: Use |