Is the world’s foremost and widely-used network protocol analyzer.
sudo apt install wireshark
wireshark [options] ... [ <infile> ]
Capture interface:
-i <interface> name or idx of interface (def: first non-loopback)
-f <capture filter> packet filter in libpcap filter syntax
-s <snaplen> packet snapshot length (def: appropriate maximum)
-p don't capture in promiscuous mode
-k start capturing immediately (def: do nothing)
-S update packet display when new packets are captured
-l turn on automatic scrolling while -S is in use
-I capture in monitor mode, if available
-B <buffer size> size of kernel buffer (def: 2MB)
-y <link type> link layer type (def: first appropriate)
--time-stamp-type <type> timestamp method for interface
-D print list of interfaces and exit
-L print list of link-layer types of iface and exit
--list-time-stamp-types print list of timestamp types for iface and exit
Capture stop conditions:
-c <packet count> stop after n packets (def: infinite)
-a <autostop cond.> ... duration:NUM - stop after NUM seconds
filesize:NUM - stop this file after NUM KB
files:NUM - stop after NUM files
Capture output:
-b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs
filesize:NUM - switch to next file after NUM KB
files:NUM - ringbuffer: replace after NUM files
Input file:
-r <infile> set the filename to read from (no pipes or stdin!)
Processing:
-R <read filter> packet filter in Wireshark display filter syntax
-n disable all name resolutions (def: all enabled)
-N <name resolve flags> enable specific name resolution(s): "mnNtdv"
-d <layer_type>==<selector>,<decode_as_protocol> ...
"Decode As", see the man page for details
Example: tcp.port==8888,http
--enable-protocol <proto_name>
enable dissection of proto_name
--disable-protocol <proto_name>
disable dissection of proto_name
--enable-heuristic <short_name>
enable dissection of heuristic protocol
--disable-heuristic <short_name>
disable dissection of heuristic protocol
User interface:
-C <config profile> start with specified configuration profile
-Y <display filter> start with the given display filter
-g <packet number> go to specified packet number after "-r"
-J <jump filter> jump to the first packet matching the (display)
filter
-j search backwards for a matching packet after "-J"
-m <font> set the font name used for most text
-t a|ad|d|dd|e|r|u|ud output format of time stamps (def: r: rel. to first)
-u s|hms output format of seconds (def: s: seconds)
-X <key>:<value> eXtension options, see man page for details
-z <statistics> show various statistics, see man page for details
Output:
-w <outfile|-> set the output filename (or '-' for stdout)
Miscellaneous:
-h display this help and exit
-v display version info and exit
-P <key>:<path> persconf:path - personal configuration files
persdata:path - personal data files
-o <name>:<value> ... override preference or recent setting
-K <keytab> keytab file to use for kerberos decryption
--display=DISPLAY X display to use
--fullscreen start Wireshark in full screen
| USAGE | FILTER SYNTAX |
|---|
| Wireshark Filter by IP | ip.add == 10.10.50.1 |
| Filter by Destination IP | ip.dest == 10.10.50.1 |
| Filter by Source IP | ip.src == 10.10.50.1 |
| Filter by IP range | ip.addr >= 10.10.50.1 and ip.addr <=10.10.50.100 |
| Filter by Multiple Ips | ip.addr == 10.10.50.1 and ip.addr == 10.10.50.100 |
| Filter out IP adress | ! (ip.addr == 10.10.50.1) |
| Filter subnet | ip.addr == 10.10.50.1/24 |
| Filter by port | tcp.port == 25 |
| Filter by destination port | tcp.dstport == 23 |
| Filter by ip adress and port | ip.addr == 10.10.50.1 and Tcp.port == 25 |
| Filter by URL | http.host == “host name” |
| Filter by time stamp | frame.time >= “June 02, 2019 18:04:00” |
| Filter SYN flag | Tcp.flags.syn == 1 and tcp.flags.ack ==0 |
| Wireshark Beacon Filter | wlan.fc.type_subtype = 0x08 |
| Wireshark broadcast filter | eth.dst == ff:ff:ff:ff:ff:ff |
| Wireshark multicast filter | (eth.dst[0] & 1) |
| Host name filter | ip.host = hostname |
| MAC address filter | eth.addr == 00:70:f4:23:18:c4 |
| RST flag filter | tcp.flag.reset == 1 |
| NAME | DESCRIPTION |
|---|
| No. | Frame number from the beginning of the packet capture |
| Time | Seconds from the first frame |
| Source (src) | Source address, commonly an IPv4, IPv6 or Ethernet address |
| Destination (dst) | Destination address |
| Protocol | Protocol used in the Ethernet frame, IP packet, or TC segment |
| Length | Length of the frame in bytes |
| OPERATOR | DESCRIPTION | EXAMPLE |
|---|
| and or && | Logical AND | All the conditions should match |
| or or || | Logical OR | Either all or one of the conditions should match |
| xor or ^^ | Logical XOR | Exclusive alterations – only one of the two conditions should match not both |
| not or ! | Not (Negation) | Not equal to |
| [ n ] [ … ] | Substring operator | Filter a specific word or text |
| OPERATOR | DESCRIPTION | EXAMPLE |
|---|
| eq or == | Equal | ip.dest == 192.168.1.1 |
| ne or != | Not equal | ip.dest != 192.168.1.1 |
| gt or > | Greater than | frame.len > 10 |
| it or < | less than | frame.len < 10 |
| ge or >= | Greater than or equal | frame.len >= 10 |
| le or <= | Less than or equal | frame.len <= 10 |
| NAME | DESCRIPTION |
|---|
| Capture filter | Filter packets during capture |
| Display filter | Hide packets from a capture display |
| NAME | DESCRIPTION |
|---|
| Promiscuous mode | Sets interface to capture all packets on a network segment to which it is associated to |
| Monitor mode | Setup the wireless interface to capture all traffic it can receive (Unix/ Linux only) |
| NAME | DESCRIPTION |
|---|
| Slice Operator | [ … ] – Range of values |
| Membership Operator | {} – In |
| CTRL+E | Start/Stop Capturing |
| SYNTAX | PROTOCOL | DIRECTION | HOSTS | VALUE | LOGICAL OPERATOR | EXPRESSIONS |
|---|
| Example | tcp | src | 192.168.1.1 | 80 | and | tcp dst 202.164.30.1 |
| SYNTAX | PROTOCOL | STRING 1 | STRING 2 | COMPARISON OPERATOR | VALUE | LOGICAL OPERATOR | EXPRESSIONS |
|---|
| Example | http | dest | ip | == | 192.168.1.1 | and | tcp port |
| ACCELERATOR | DESCRIPTION | ACCELERATOR | DESCRIPTION |
|---|
| Tab or Shift+Tab | Move between screen elements, e.g. from the toolbars to the packet list to the packet detail. | Alt+→ or Option→ | Move to the next packet in the selection history. |
| ↓ | Move to the next packet or detail item. | → | In the packet detail, opens the selected tree item. |
| ↑ | Move to the previous packet or detail item. | Shift+→ | In the packet detail, opens the selected tree items and all of its subtrees. |
| Ctrl+ ↓ or F8 | Move to the next packet, even if the packet list isn’t focused. | Ctrl+→ | In the packet detail, opens all tree items. |
| Ctrl+ ↑ Or F7 | Move to the previous packet, even if the packet list isn’t focused | Ctrl+← | In the packet detail, closes all the tree |
| Ctrl+. | Move to the next packet of the conversation (TCP, UDP or IP). | Backspace | In the packet detail, jumps to the parent node. |
| Ctrl+, | Move to the previous packet of the conversation (TCP, UDP or IP). | Return or Enter | In the packet detail, toggles the selected tree item. |
Command to extract IPs from captured PCAP-file.
$ tcpdump -r capture.pcapng 'ip' -n | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | sort -u
reading from file capture.pcapng, link-type EN10MB (Ethernet)
0.0.0.0
10.30.100.204
104.26.10.153
13.107.18.11
140.82.112.26
140.82.121.4
