ENNAENNA

Wireshark Cheat Sheet

Network protocol analyzer for deep packet inspection. Covers display filters by protocol, statistics features, stream following, and tshark CLI equivalents for automation.

View Wireshark tool page

TCP/IP Display Filters

Show all traffic to or from a specific IP address

$ ip.addr == 192.168.1.1

Filter TCP port 443 traffic from a specific source IP

$ tcp.port == 443 && ip.src == 10.0.0.1

Show only TCP SYN packets (new connection attempts)

$ tcp.flags.syn == 1 && tcp.flags.ack == 0

Display only TCP retransmissions to identify network issues

$ tcp.analysis.retransmission

Show subnet traffic excluding ARP broadcasts

$ ip.addr == 192.168.1.0/24 && not arp

Application Protocol Filters

Show only HTTP POST requests

$ http.request.method == "POST"

Filter DNS queries for a specific domain

$ dns.qry.name contains "target.com"

Filter TLS traffic by SNI hostname

$ tls.handshake.extensions_server_name contains "target"

Show HTTP error responses (4xx and 5xx)

$ http.response.code >= 400

Display all email protocol traffic

$ smtp || pop || imap

Statistics & Analysis

View all TCP conversations sorted by bytes transferred

$ Statistics > Conversations > TCP

See protocol distribution breakdown of the capture

$ Statistics > Protocol Hierarchy

List all IPv4 endpoints with packet and byte counts

$ Statistics > Endpoints > IPv4

Summarize all HTTP requests by host and URI

$ Statistics > HTTP > Requests

Review warnings, errors, and anomalies detected in the capture

$ Analyze > Expert Information

Following Streams

Reconstruct and view the full TCP conversation

$ Right-click packet > Follow > TCP Stream

View complete HTTP request/response exchanges

$ Right-click packet > Follow > HTTP Stream

View decrypted TLS stream (requires key log file)

$ Right-click packet > Follow > TLS Stream

Filter to display only TCP stream index 5

$ tcp.stream eq 5

tshark CLI

Capture on eth0 for 60 seconds and save to pcap

$ tshark -i eth0 -w capture.pcap -a duration:60

Extract HTTP hosts and URIs from a capture file

$ tshark -r capture.pcap -Y "http.request" -T fields -e http.host -e http.request.uri

Display I/O statistics in 30-second intervals

$ tshark -r capture.pcap -qz io,stat,30

Export DNS packets as JSON for analysis

$ tshark -r capture.pcap -Y "dns" -T json > dns_queries.json

List all TCP conversations from a capture file

$ tshark -r capture.pcap -qz conv,tcp

More Cheat Sheets

Nmap Cheat Sheet

6 sections

Hashcat Cheat Sheet

5 sections

SQLMap Cheat Sheet

5 sections

ffuf Cheat Sheet

5 sections

Nuclei Cheat Sheet

5 sections

Subfinder Cheat Sheet

4 sections