wireshark-ieth1# Filter by ipip.add==10.10.10.9# Filter by dest ipip.dest==10.10.10.15# Filter by source ipip.src==10.10.16.33# Filter by tcp porttcp.port==25# Filter by ip addr and portip.addr==10.10.14.22andtcp.port==8080# Filter SYN flagtcp.flags.syn==1andtcp.flags.ack==0# Broadcast filtereth.dst==ff:ff:ff:ff:ff:ff
Filters CheatSheet
TShark
tshark-Dtshark-ieth1tshark-r<FILE>.pcaptshark-r<FILE>.pcap|wc-l# First 100 packetstshark-r<FILE>.pcap-c100# Protocl hierarchy statisticstshark-r<FILE>.pcap-zio,phs-q# HTTP traffictshark-r<FILE>.pcap-Y'http'|moretshark-r<FILE>.pcap-Y"ip.src==<SOURCE_IP> && ip.dst==<DEST_IP>"# Only GET requeststshark-r<FILE>.pcap-Y"http.request.method==GET"# Packets with frame time, source IP and URL for all GET requeststshark-r<FILE>.pcap-Y"http.request.method==GET"-Tfields-eframe.time-eip.src-ehttp.request.full_uri# Packets with a stringtshark-r<FILE>.pcap-Y"http contains password"# Check destination IPtshark-r<FILE>.pcap-Y"http.request.method==GET && http.host==<TARGET_URL>"-Tfields-eip.dst# Check session IDtshark-r<FILE>.pcap-Y"ip contains amazon.in && ip.src==<IP>"-Tfields-eip.src-ehttp.cookie# Check OS/User Agent typetshark-r<FILE>.pcap-Y"ip.src==<IP> && http"-Tfields-ehttp.user_agent# WiFi traffic filtertshark-r<FILE>.pcap-Y"wlan"# Only deauthentication packets tshark-r<FILE>.pcap-Y"wlan.fc.type_subtype==0x000c"# and devicestshark-r<FILE>.pcap-Y"wlan.fc.type_subtype==0x000c"-Tfields-ewlan.ra# Only WPA handshake packetstshark-r<FILE>.pcap-Y"eapol"# Onyl SSID/BSSIDtshark-r<FILE>.pcap-Y"wlan.fc.type_subtype==8"-Tfields-ewlan.ssid-ewlan.bssidtshark-r<FILE>.pcap-Y"wlan.ssid==<SSID>"-Tfields-ewlan.bssid# WiFi Channeltshark-r<FILE>.pcap-Y"wlan.ssid==<SSID>"-Tfields-ewlan_radio.channel# Vendor & modeltshark-r<FILE>.pcap-Y"wlan.ta==<DEVICE_MAC> && http"-Tfields-ehttp.user_agent
#To find DOS (SYN and ACK)tcp.flags.syn==1,tcp.flags.syn==1andtcp.flags.ack==0#To find passwordshttp.request.method==POST#More referencehttps://www.comparitech.com/net-admin/wireshark-cheat-sheet/#To find DOS: look for Red and Black packets with around 1-2 simple packets in between and then pick any packet and check the Source and Destination IP with port(As per question)#To find DOS (SYN and ACK) : tcp.flags.syn == 1 , tcp.flags.syn == 1 and tcp.flags.ack == 0#To find passwords : http.request.method == POST