Wireshark Cheatsheet
Overview
The following is a cheat sheet for getting started within Wireshark and how to use it.
Starting and Stopping Packet Capture
Action
Wireshark Steps
Shortcut
Start Capture
Select an interface and click Start
Ctrl + E
Stop Capture
Click Stop
Ctrl + E
Save Capture
File → Save As...
Ctrl + S
Open a PCAP File
File → Open...
Ctrl + O
Restart Capture
Capture → Restart
Ctrl + R
Tip: Always use capture filters before starting a capture to reduce noise.
Applying Filters (Capture vs. Display Filters)
Capture Filters (Set Before Capture)
How to Apply: 1️. Click Capture Options (Gear Icon ⚙️) 2️. Enter a filter in Capture Filter field 3. Click Start
Filter
Purpose
port 80
Capture only HTTP traffic
host 192.168.1.1
Capture only packets to/from 192.168.1.1
tcp
Capture only TCP packets
udp
Capture only UDP packets
icmp
Capture only ICMP (ping) traffic
Display Filters (Apply After Capture)
How to Apply: 1️. Type the filter in Display Filter Bar 2️. Press Enter
Filter
Purpose
ip.addr == 192.168.1.1
Show all traffic to/from 192.168.1.1
ip.src == 10.0.0.5
Show only packets originating from 10.0.0.5
ip.dst == 8.8.8.8
Show only packets going to 8.8.8.8
tcp.port == 443
Show only HTTPS traffic
dns
Show only DNS requests & responses
http.request
Show only HTTP requests
tls.handshake.type == 1
Show only TLS Client Hello packets
tcp.flags.syn == 1 && tcp.flags.ack == 0
Detect SYN scans (port scanning)
frame contains "password"
Find packets containing "password"
Tip: Use && (AND), || (OR), and ! (NOT) to combine filters.
Example: tcp && !port 22 (Show only TCP, but exclude SSH traffic).
Useful Wireshark Features for Analysis
Follow Network Streams (View Full Conversations)
Steps:
1️. Right-click a packet → Follow → TCP Stream / UDP Stream
2️. View full conversation between source & destination
Extract Files from Traffic (HTTP, SMB, FTP, etc.)
Steps:
1️. File → Export Objects
2️. Choose protocol (HTTP, SMB, FTP, etc.)
3️. Select files & click Save
Analyze Protocol Hierarchy
How to Use:
1️.Statistics → Protocol Hierarchy
2️. View percentage of traffic per protocol (TCP, HTTP, DNS, etc.)
Visualize Packet Flow
How to Use:
1️. Statistics → Flow Graph
2️. See how packets flow between devices (useful for debugging)
Check for Network Errors (Expert Info)
How to Use:
1️. Analyze → Expert Information
2️. View warnings, errors, and dropped packets
Identify Long Connections (IO Graphs)
How to Use:
1️. Statistics → I/O Graphs
2️. Identify sudden traffic spikes, DoS attacks, or exfiltration
Packet Inspection & Troubleshooting
Issue
Feature to Use
Shortcut
Investigate Latency Issues
Analyze → Expert Info
-
Analyze TCP Handshakes
Statistics → Flow Graph
-
Find HTTP Requests
http.request filter
-
Detect DNS Exfiltration
dns.qry.name contains "malicious.com"
-
Analyze TLS Traffic
tls.handshake.type == 1
-
Tip: Use Wireshark profiles to create custom settings for different scenarios (e.g., forensics, troubleshooting, red teaming).
Wireshark Keyboard Shortcuts for Speed
Shortcut
Action
Ctrl + E
Start/Stop Capture
Ctrl + S
Save Capture
Ctrl + O
Open a PCAP file
Ctrl + F
Find packets by string, hex, etc.
Ctrl + M
Mark a packet
Shift + Ctrl + N
Go to next packet in conversation
Shift + Ctrl + B
Go to previous packet in conversation
Ctrl + T
Set Time Reference (Latency Analysis)
Shift + ← / →
Expand/Collapse packet details
Last updated