Advanced Wireshark Filtering Techniques

Introduction to Advanced Filtering

Wireshark's true power lies in its ability to filter packets with incredible precision. Advanced filtering techniques allow you to isolate specific traffic patterns, protocols, or anomalies, making your network analysis more efficient and effective.

Pro Tip: Combine multiple filter conditions to create highly specific filters that target exactly the traffic you're interested in.

Mastering Display Filter Syntax

Comparison Operators

Operator	Description	Example
==	Equal	`ip.addr == 192.168.1.1`
!=	Not equal	`ip.addr != 10.0.0.1`
>	Greater than	`frame.len > 1000`
<	Less than	`tcp.window_size < 5000`
>=	Greater than or equal	`tcp.port >= 1024`
<=	Less than or equal	`udp.length <= 100`

Logical Operators

and or &&: Both conditions must be true
or or ||: Either condition can be true
not or !: Negates the condition

Complex Filter Example


    (ip.src == 192.168.1.100 and tcp.port == 80) or (ip.dst == 10.0.0.1 and udp.port == 53)

This filter shows HTTP traffic from 192.168.1.100 or DNS traffic to 10.0.0.1.

Advanced Filtering Techniques

1. Using Wildcard and Contains Operators

http.host contains "example": Matches any HTTP host containing "example"
ip.addr matches "192.168.1.[1-5]": Matches IP addresses from 192.168.1.1 to 192.168.1.5

2. Filtering on Packet Contents

frame contains "password": Finds packets containing the word "password"
data.data contains 00:ff:aa: Locates packets with specific byte sequences

3. Time-Based Filtering

frame.time >= "Jun 02, 2023 15:00:00": Shows packets after a specific time
frame.time_relative < 60: Displays packets within the first minute of capture

4. Protocol-Specific Fields

tcp.analysis.retransmission: Identifies TCP retransmissions
http.response.code == 404: Finds HTTP 404 responses
dns.qry.name contains "google": Shows DNS queries for Google domains

5. Combining Capture and Display Filters

Use capture filters to reduce the amount of data captured, then apply display filters for detailed analysis:

Capture filter: host 192.168.1.100
Display filter: http or dns

Advanced Filter Use Cases

1. Troubleshooting Network Performance


    tcp.analysis.flags && !tcp.analysis.window_update

This filter helps identify potential TCP performance issues by showing packets with TCP analysis flags, excluding window updates.

2. Security Analysis


    (http.request.method == "POST" or http.request.method == "GET") and http.host contains "login"

Use this to monitor login attempts, which could be useful for detecting brute force attacks.

3. Application Debugging


    ip.addr == 192.168.1.100 and tcp.port == 8080 and frame contains "error"

This filter could help debug an application running on a specific host and port, looking for error messages.

4. VoIP Analysis


    rtp.ssrc == 0x12345678 and (rtp.timestamp < 54321 or rtp.timestamp > 98765)

Analyze RTP streams for a specific session, focusing on packets with timestamps outside an expected range.

Tips for Efficient Filtering

Use the Expression... button in the filter toolbar to build complex filters
Save frequently used filters as Filter Buttons for quick access
Utilize the "Conversation Filter" feature to quickly isolate traffic between two endpoints
Experiment with filters in a test environment before applying them to large captures
Use comments in your filters for better readability: # This filter shows HTTP POST requests to login pages
http.request.method == "POST" and http.host contains "login"