Wireshark Filters


dns.qry.name == “www.cordero.me”
dns.qry.name matches “.cordero.me”
dns.qry.name contains “cordero.me”

tcp.flags.reset == 1
tcp.flags.push == 1
tcp.flags.syn == 1

ip.addr == 172.16.200.1
ip.src == 172.16.200.1
ip.dst == 172.16.200.1

tcp.port eq 53
udp.port eq 53

Client Hello:
tls.handshake.type == 1

Server Hello:
tls.handshake.type == 2

Certificate:
tls.handshake.type == 11

Cipher Suites:
tls.handshake.ciphersuite

TLS Message types
Code Description
0 HelloRequest
1 ClientHello
2 ServerHello
4 NewSessionTicket
8 EncryptedExtensions (TLS 1.3 only)
11 Certificate
12 ServerKeyExchange
13 CertificateRequest
14 ServerHelloDone
15 CertificateVerify
16 ClientKeyExchange
20 Finished

 

Traffic type Capture filter(s)  Display filter(s) [wireshark]
RIPv2 udp port 520 udp.port==520
EIGRP ip proto eigrp ip.proto==88
OSPF ip proto ospf ip.proto==89
LDP udp port 646 or tcp port 646 udp.port==646 or tcp.port==646
PIM ip proto pim pim
IGMP ip proto igmp igmp
BGP tcp port 179 tcp.port==179
ICMP ip proto icmp icmp

 

Wireshark display filter operands

and &&
or or
= ==
protocol and port ip.port==    udp.port==   tcp.port==
source or dest ip ip.src==  ip.dst==
More Stories
LACP or Aggregating Ports Explained