| Name |
Filter |
Description |
| Connection Reset |
tcp.flags.reset==1 |
Unexpected TCP resets could suggest a network failure or timeout. |
| Bad TCP packets |
tcp.analysis.flags && !tcp.analysis.window_update |
Issues in TCP flow, excluding sliding windows updates. |
| Slow RTT |
tcp.analysis.ack_rtt > 0.1 |
A high RTT or an increase over time might indicate network congestion. |
| TCP Waiting for App |
tcp.time_delta > 0.1 |
Indicative of potential application problems, not strictly a network issue. |
| Slow DNS |
dns.time > 1 |
Slow name resolution could negatively impact every command. |
| TCP Dup ACK |
tcp.analysis.duplicate_ack |
Repeated acknowledgements could signify packet loss. |
| TCP Retransmission |
tcp.analysis.retransmission |
Excessive retransmissions could indicate packet loss or network congestion. |
| High HTTP Response Time |
http.time > 1 |
Slow HTTP response times could impact web application performance. |
| Excessive ARP Broadcast |
arp.isgratuitous == 1 |
Excessive gratuitous ARP could indicate IP conflicts or other network issues. |
| ICMP Redirects |
icmp.type==5 and icmp.code==1 |
Could indicate suboptimal routing or other network configuration issues. |
| Application Dependencies |
http.host == “www.espn.com” |
For example, to load a site like www.espn.com, you must visit many hosts supplying content. This filter helps identify those hosts. |
| TCP Zero Window |
tcp.window_size == 0 and !tcp.flags.reset |
Indicates that the receiving application is unable to process the data as fast as it’s being sent, leading to network slowdown. |
| TCP Window Full |
tcp.window_size_value == tcp.window_size and tcp.window_size > 0 |
Indicates the receiver’s buffer is full. Can lead to slowdown or dropped packets if not managed properly. |
| Recovery Events |
tcp.stream eq ${tcp.stream} and (tcp.analysis.window_update or tcp.analysis.zero_window) |
To analyze TCP window zeroing and recovery events. |
| Slow DNS Responses |
dns.flags.rcode eq 0 and dns.time gt .1 |
To identify slow DNS responses to check if the delay is due to your local DNS resolver or due to recursion. |
| Removing Irrelevant Data |
!(eth.dst == ff:ff:ff:ff:ff:ff or arp or stp) |
To remove irrelevant data (like broadcasts and layer 2 protocols) from your analysis. |
| Incident Response Snapshot |
tcp.flags.syn==1 or tcp.flags.fin==1 or tcp.flags.reset==1 or dns or tls.handshake.type==1 or tls.handshake.type==2 or tcp.port==3389 or tcp.port==22 or tcp.port==445 |
To get a quick snapshot of the most important events in an incident response situation. |
| Video Traffic QoS |
ip and (ip[1] & 0xfc) >> 2 == 0x20 || ip and (ip[1] & 0xfc) >> 2 == 0x22 |
To capture traffic with the Assured Forwarding flag set to ensure QoS is correctly applied to video traffic. |
| Specific Device Identification |
wlan.addr_resolved contains Nintendo or eth.addr_resolved contains Sony |
To identify specific devices in your network using the OUI name instead of MAC address. |
| Duplicate IP Identification |
arp.duplicate-address-frame |
To identify duplicate IP addresses in your network. |
| Syn/FIN/RST Packets |
tcp.flags&7 || (tcp.seq==1 && tcp.ack==1 && tcp.len==0) || tcp.len>1 |
To view all SYN/FIN/RST packets, the final ACK of the 3-way-handshake, and all data packets. |
| Traffic Types |
eth.ig==1, not eth.ig==1, eth.addr==ff:ff:ff:ff:ff:ff, and not eth.addr==ff:ff:ff:ff:ff:ff |
To filter out specific types of traffic, like multicast, broadcast, or unicast frames. |
| Diagnosing TCP Issues |
tcp.port==12345 AND icmp |
To diagnose problems with an application running over a specific TCP port, by setting up pings between the two end points and waiting for the problem to occur. |
