Wireshark’s most useful display filters

wireshark-logoNow and then, especially when you expect less, the network crashes or encounter an issue and then you had to troubleshoot. Sometime the problem is right there, you can see it and it’s easy to fix, but in other cases you’ll have to put an eye in the packets that are traveling through it and search deeper for the solution. When it comes to network sniffing or packet capturing or whatever you want to call it, I believe that the name Wireshark (formerly Ethereal) ring a bell in your head.

Wireshark is one of the world’s foremost network protocol analyzer, and is the de facto standard across many industries and educational institutions. Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998. Some features of Wireshark:
– Deep inspection of hundreds of protocols, with more being added all the time
– Live capture and offline analysis
– Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others
– Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
– Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and   uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others
– Capture files compressed with gzip can be decompressed on the fly
– Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platfrom)
– Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2

Wireshark is extremely useful when it comes to network troubleshooting as it capture the packets and you can have a detail look into them checking if everything is OK in parameters, message, format and so on. The problem is that if you capture the packets traveling through a backbone router you will end having  huge file ( yes, even up to 1G if you capture long enough) and a lot packets details in it. From this tons of information maybe you are interested in only a minor part like BGP traffic or a certain IP source and destination. Here is the part where Wireshark filters come into play.

There are 2 type of Wireshark filters:

– DISPLAY FILTERS – after you capture a lot of information, they help you to visualize only the packets that you are interested in
– CAPTURE FILTERS – from the beginning you know what is the interest for you and capture only those packets

I would recommed to use the Capture filters, when you know what are you looking for and you run the capture for more than couple of hours in a heavy traffic environment. This will help you stay in a reasonable amount on information being captured and file size.
If you run the packet capture for less time, like one or two hours, and you are not very sure what are you looking for, then I recommend to capture all the traffic and then use Display filters to visualize only the information that you are searching for.

For today I put together a list with the most useful Wireshark display filters. I compiled this list based on my personal experience and on my friends and colleagues advices. If you think that something is missing, or you are using a Display filter that might be useful for others please feel free to add it to a Comment to this topic and I will update the list. In one of the future posts I will show you how to capture the traffic and apply some of this filters.

eth.addr source or destination mac-address eth.addr == 00:1a:6b:ce:fc:bb
eth.src source mac-address eth.src == 00:1a:6b:ce:fc:bb
eth.dst destination mac-address eth.dst == 00:1a:6b:ce:fc:bb
arp.dst.hw_mac target mac-address arp.dst.hw_mac == 00:1a:6b:ce:fc:bb
arp.dst.proto_ipv4 target IPv4 address arp.dst.proto_ipv4 ==
arp.src.hw_mac sender mac-address arp.src.hw_mac == 00:1a:6b:ce:fc:bb
arp.src.proto_ipv4 sender IPv4 address arp.src.proto_ipv4 ==
vlan.id vlan ID vlan.id == 16
ip.addr source or destination IPv4 address ip.addr ==
ip.dst destination IPv4 address ip.addr ==
ip.src source IPv4 address ip.src ==
ip.proto IP protocol (decimal) ip.proto == 1
ipv6.addr source or destination IPv6 address ipv6.addr == 2001::5
ipv6.src source IPv6 address ipv6.addr == 2001::5
ipv6.dst destination IPv6 address ipv6.dst == 2001::5
tcp.port source or destination TCP port tcp.port == 20
tcp.dstport destination TCP port tcp.dstport == 80
tcp.srcport source TCP port tcp.srcport == 60234
udp.port source or destination UDP port udp.port == 513
udp.dstport destination UDP port udp.dstport == 513
udp.srcport source UDP port udp.srcport == 40000
fr.dlci Frame-Relay DLCI number fr.dlci == 112
icmp.type ICMP type code (decimal) icmp.type == 8
vtp.vlan_info.vlan_name VLAN name vtp.vlan_info.vlan_name == TEST
bgp.originator_id BGP id (IPv4 address) bgp.originator_id ==
bgp.next_hop BGP Next Hop (IPv4 address) bgp.next_hop ==
rip.ip RIP IPv4 address rip.ip ==
ospf.advrouter OSPF advertising router ID ospf.advrouter ==
eigrp.as EIGRP autonomous system number eigrp.as == 100
hsrp.virt_ip HSRP virtual IP address hsrp.virt_ip ==
vrrp.ip_addr VRRP virtual IP address vrrp.ip_addr ==
zebra.dest4 ZEBRA destination IPv4 address zebra.dest4 ==
wlan.addr source or destination MAC address wlan.addr == 00:1a:6b:ce:fc:bb
wlan.sa source MAC address wlan.sa == 00:1a:6b:ce:fc:bb
wlan.da destination MAC address wlan.da == 00:1a:6b:ce:fc:bb

Materials that helped me for this post:
http://packetlife.net/static/cheatsheets/wireshark-display-filters.pdf – thanks Jeremy Stretch
http://www.wireshark.org/docs/dfref/ – here you can find the full list of filters – thanks developers of Wireshark