| Top Filters |
ip.adr==10.10.1.1 |
Filters traffic based on the provided IP address |
|
ip.adr==192.168.27.0/24 |
Filters traffic within the provided subnet |
|
tcp.port==80 |
Filters traffic on a specific TCP port |
|
tcp.port in{80,443,8000..8005} |
Filters traffic on a range of TCP ports |
|
tcp or dns |
Filters all TCP or DNS traffic |
|
eth matches "London" |
Filters Ethernet traffic for a specific string |
|
!(arp or stp or lldp or cdp or eth.addr==ff:ff:ff:ff:ff:ff or tcp.port in {4433,80}) |
Excludes specific types of traffic based on the provided parameters |
| General Filters |
http |
Filters all HTTP traffic |
|
dns |
Filters all DNS traffic |
|
ip.src==192.168.1.1 |
Filters traffic from a specific source IP |
|
ip.dst==192.168.1.2 |
Filters traffic to a specific destination IP |
|
ipv6 |
Filters all IPv6 traffic |
|
eth.addr==00:11:22:33:44:55 |
Filters traffic based on the MAC address |
| TCP Filters |
tcp.port==80 |
Filters TCP traffic on a specific port |
|
tcp.port in {8000..8005} |
Filters TCP traffic on a range of ports |
|
tcp.flags.syn==1 |
Filters TCP packets with the SYN flag set |
|
tcp.flags.reset==1 |
Filters TCP packets with the RESET flag set |
| Frame Filters |
frame.len>=100 |
Filters packets based on the frame length |
|
frame contains "example" |
Filters packets containing a specific string |
| IP Filters |
ip.addr==192.168.1.0/24 |
Filters traffic within a specific subnet |
|
ip.addr == ip.src && ip.dst |
Filters all conversations between source and destination IPs |
| Exclusion Filters |
!arp |
Excludes all ARP traffic |
| Novel Filters |
http.request.method == "POST" |
Filters HTTP POST requests |
|
ssl or tls |
Filters all SSL/TLS traffic |
|
ip.addr==192.168.1.1 and http |
Filters all HTTP traffic from a specific IP |
|
dns.qry.name contains "example" |
Filters DNS queries containing a specific string |
|
tcp.flags.syn==1 and tcp.flags.ack==1 |
Filters TCP packets with both the SYN and ACK flags set |
|
icmp |
Filters all ICMP traffic |
|
ip.addr==192.168.1.1 and icmp |
Filters all ICMP traffic from a specific IP |
|
tcp contains "password" |
Filters all TCP packets containing the word "password" |
|
http.cookie contains "sessionid" |
Filters all HTTP cookies containing the string "sessionid" |
|
eth.dst == ff:ff:ff:ff:ff:ff |
Filters all Ethernet frames with the destination MAC set to broadcast |
|
dns.resp.len > 0 |
Filters DNS responses with a length greater than zero |
|
ip.addr != 192.168.1.1 |
Excludes all traffic from a specific IP address |
|
tcp.flags.fin==1 and tcp.flags.ack==1 |
Filters TCP packets with both the FIN and ACK flags set |
|
http.request.uri contains "/login" |
Filters HTTP requests with "/login" in the URI |
|
http.response.code == 200 |
Filters HTTP responses with a status code of 200 |
|
tcp.len > 0 |
Filters TCP packets with a length greater than zero |
|
ssl.record.version == 0x0303 |
Filters SSL records with version TLS 1.2 |
|
http.request or http.response |
Filters all HTTP requests and responses |
|
udp.port == 53 |
Filters all UDP traffic on port 53 |
|
ip.addr == 192.168.1.1 and (tcp or udp) |
Filters all TCP or UDP traffic from a specific IP address |
|
frame.len <= 64 |
Filters all frames with a length of 64 bytes or less |
|
ip.ttl <= 64 |
Filters all IP packets with a TTL of 64 or less |
|
tcp.window_size == 0 |
Filters all TCP packets with a window size of zero |
|
tcp.stream eq 1 |
Filters all packets within the same TCP stream |
|
http.host contains "example.com" |
Filters all HTTP packets where the host field contains a specific string |