Top 20 Wireshark Filters Every Network Engineer Must Know

Top 20 Wireshark Filters Every Network Engineer Must Know
11/03/2025 •

🔹 Introduction

Wireshark is powerful, but without filters, it can feel like drinking from a firehose. Network captures often contain thousands of packets, and finding the ones that matter is nearly impossible without display filters. These filters let you focus on specific conversations, protocols, or errors, turning raw data into actionable insights.

Top 20 Wireshark Filters Every Network Engineer Must Know

This guide covers the top 20 Wireshark filters that every network engineer must know in 2025, along with real-world use cases.

🔹 1. Filter by IP Address

      ip.addr == 192.168.1.10

Use case: Troubleshoot communication from a single host.
Example: A server 192.168.1.10 is slow to respond; filter traffic to see all its flows.

🔹 2. Source or Destination IP

      ip.src == 10.0.0.5
    
      ip.dst == 10.0.0.20

Use case: Focus on traffic coming from or going to a specific device.
Example: Verify whether packets from a firewall are reaching the web server.

🔹 3. Subnet Filter

      ip.addr == 192.168.1.0/24

Use case: Capture traffic in a local subnet.
Example: Monitor traffic from all IoT devices in 192.168.1.0/24.

🔹 4. Filter by Port

      tcp.port == 443
    
      udp.port == 53

Use case: Focus on specific services.
Example: Show only HTTPS traffic or DNS lookups.

🔹 5. Show Only TCP Traffic

      tcp

Use case: Troubleshoot TCP connections.
Example: Analyze retransmissions or failed handshakes.

🔹 6. Show Only UDP Traffic

      udp

Use case: Look at lightweight protocols.
Example: Inspect RTP (VoIP) or DNS queries.

🔹 7. HTTP Requests

      http.request

Use case: See all HTTP requests from clients.
Example: Check if browsers are sending repeated GET requests.

🔹 8. HTTP GET vs POST

      http.request.method == "GET"
    
      http.request.method == "POST"

Use case: Troubleshoot web form submissions or API calls.
Example: Validate if API endpoints are receiving POST requests correctly.

🔹 9. DNS Queries for a Domain

      dns.qry.name == "sanchitgurukul.com"

Use case: Verify DNS lookups.
Example: Ensure clients can resolve your domain properly.

🔹 10. Failed DNS Responses

      dns.flags.rcode != 0

Use case: Detect DNS errors.
Example: Troubleshoot why SaaS app lookups return SERVFAIL.

🔹 11. TLS/SSL Handshakes

      tls.handshake

Use case: Analyze TLS setup.
Example: Debug failed SSL/TLS negotiations.

🔹 12. TLS Alerts

      tls.alert_message

Use case: Find encryption failures.
Example: Spot handshake alert messages like handshake_failure.

🔹 13. TCP SYN (Handshake Start)

      tcp.flags.syn == 1 && tcp.flags.ack == 0

Use case: Identify connection attempts.
Example: Check if client is trying to connect but server doesn’t respond.

🔹 14. TCP Retransmissions

      tcp.analysis.retransmission

Use case: Detect packet loss and latency.
Example: Diagnose slowness in CRM application traffic.

🔹 15. Large Packets

      frame.len > 1000

Use case: Spot oversized frames.
Example: Check if jumbo frames are causing issues on mismatched networks.

🔹 16. ICMP Echo (Ping)

      icmp.type == 8

Use case: Verify connectivity testing.
Example: Track ping requests between two devices.

🔹 17. SIP Signaling

      sip

Use case: Troubleshoot VoIP setup.
Example: Check SIP registration failures.

🔹 18. RTP Streams

      rtp

Use case: Check audio/video packet flow.
Example: Troubleshoot jitter in voice calls.

🔹 19. Malformed Packets

      frame.protocols contains "malformed"

Use case: Detect errors in captures.
Example: Identify faulty network card or misconfigured protocol stack.

🔹 20. Regex Matching

      http.host matches ".*google.*"

Use case: Flexible matching with regex.
Example: Spot traffic to any Google-related domains.

🔹 Real-World Troubleshooting Scenarios

Scenario 1: Slow Website Loading

  • Filters used: http.request, tcp.analysis.retransmission.
  • Finding: TCP retransmissions revealed WAN packet loss.

Scenario 2: DNS Failures

  • Filters used: dns.qry.name, dns.flags.rcode.
  • Finding: Misconfigured DNS forwarder dropping queries.

Scenario 3: VoIP Issues

  • Filters used: sip, rtp.
  • Finding: High jitter and packet loss caused by QoS misconfiguration.

Scenario 4: Security Investigation

  • Filters used: http.request.method == “POST” && ip.dst == 203.0.113.5.
  • Finding: Detected suspicious data exfiltration attempts.

🔹 Best Practices

  • Start broad, then refine with filters.
  • Save your favorite filters in Wireshark for reuse.
  • Combine multiple filters with && and ||.
  • Use color rules with filters for better visibility.
  • Practice in labs before applying in production captures.

🔹 Summary

The real power of Wireshark lies in its filters. These 20 filters cover the bread and butter of troubleshooting, security investigations, and performance analysis. By mastering them, you’ll:

  • Troubleshoot issues faster.
  • Pinpoint protocol problems.
  • Detect anomalies and security threats.

Remember: packets don’t lie. Filters help you ask the right questions and uncover the story hidden in the traffic.

https://www.wireshark.org/docs/relnotes

https://sanchitgurukul.com/basic-networking

https://sanchitgurukul.com/network-security

Master Tech Skills: Advanced Tutorials for Networking, Coding & More | Sanchit Gurukul
Step-by-Step How-To Guides at Sanchit Gurukul
Disclaimer: This article may contain information that was accurate at the time of writing but could be outdated now. Please verify details with the latest vendor advisories or contact us at admin@sanchitgurukul.com.

Discover more from

Subscribe now to keep reading and get access to the full archive.

Continue reading