Wireshark Cheat Sheet 2026: The Complete Network Analysis Guide

Wireshark is the world's most popular network protocol analyzer — and for good reason. Whether you're troubleshooting a sluggish application, investigating a security breach, or studying for your CCNA certification, Wireshark gives you unprecedented visibility into what's happening on your network.

This comprehensive cheat sheet covers everything from basic display filters to advanced forensic analysis techniques. We've organized 200+ filters, commands, and techniques into logical sections so you can quickly find exactly what you need. Plus, you can download the complete 22-page PDF for offline reference.

1. Display Filter Fundamentals

Display filters are the most powerful feature in Wireshark. They let you narrow down captured traffic to exactly what you need to see. Understanding the syntax is essential for efficient packet analysis.

Comparison Operators

Logical Operators

# AND - both conditions must match
ip.src == 10.0.0.1 && tcp.port == 80

# OR - either condition matches
dns || http

# NOT - exclude matching packets
!arp

# Grouping with parentheses
(ip.src == 10.0.0.1) && (tcp.port == 80 || tcp.port == 443)

2. Capture Filters (BPF Syntax)

Capture filters use Berkeley Packet Filter (BPF) syntax — a completely different language from display filters. They're applied before packets are captured, which is critical for high-traffic networks where you'd otherwise run out of memory.

Essential Capture Filters

3. IP & Ethernet Filters

IP Address Filtering

# Traffic involving specific IP (source OR destination)
ip.addr == 192.168.1.1

# Source IP in private range
ip.src == 10.0.0.0/8

# Packets with low TTL (routing issues)
ip.ttl < 10

# Fragmented packets
ip.flags.mf == 1

# IPv6 traffic
ip.version == 6

# ARP requests only
arp.opcode == 1

# Duplicate IP detection
arp.duplicate-address-detected

4. TCP Analysis & Troubleshooting

TCP analysis is where Wireshark truly shines. Understanding TCP flags and Wireshark's built-in analysis expert helps you quickly identify network performance problems.

TCP Flag Filters

TCP Troubleshooting Filters

# Retransmissions (packet loss indicator)
tcp.analysis.retransmission

# Duplicate ACKs (receiver requesting retransmission)
tcp.analysis.duplicate_ack

# Zero window (receiver buffer full)
tcp.analysis.zero_window

# Out-of-order segments
tcp.analysis.out_of_order

# Lost segments
tcp.analysis.lost_segment

# Follow a specific TCP conversation
tcp.stream eq 5

# All TCP problems combined
tcp.analysis.flags

5. HTTP/HTTPS Traffic Analysis

HTTP Filters

# All HTTP requests
http.request

# Specific methods
http.request.method == "GET"
http.request.method == "POST"

# API endpoint requests
http.request.uri contains "/api/"

# Specific host
http.host == "example.com"

# Error responses
http.response.code >= 400    # All errors
http.response.code == 404    # Not Found
http.response.code >= 500    # Server errors

# Content types
http.content_type contains "json"
http.content_type contains "html"

# Authentication headers
http.authorization
http.cookie contains "session"

TLS/HTTPS Decryption

To decrypt HTTPS traffic in Wireshark:

1. Set the SSLKEYLOGFILE environment variable in your browser before capturing
2. In Wireshark: Edit > Preferences > Protocols > TLS
3. Set the (Pre)-Master-Secret log filename to your key log file
4. Wireshark will automatically decrypt matching TLS sessions

# TLS handshake messages
tls.handshake

# Client Hello (connection initiation)
tls.handshake.type == 1

# Server Name Indication (SNI) filter
tls.handshake.extensions_server_name contains "example"

# TLS 1.3 traffic
tls.handshake.extensions.supported_versions == 0x0304

# TLS alerts (errors)
tls.alert_message

6. DNS Investigation

Essential DNS Filters

7. tshark Command-Line Interface

tshark is the command-line version of Wireshark — essential for headless servers, scripting, and automated analysis. It supports the same display filters and protocol dissectors.

Essential tshark Commands

# List available interfaces
tshark -D

# Capture 1000 packets on eth0
tshark -i eth0 -c 1000

# Capture with display filter
tshark -i eth0 -Y "http.request"

# Write to file
tshark -i eth0 -w capture.pcapng

# Read file with filter
tshark -r capture.pcapng -Y "dns"

# Custom field output
tshark -r capture.pcapng -T fields -e ip.src -e ip.dst -e tcp.port

# JSON output
tshark -r capture.pcapng -T json -Y "http.request"

# Ring buffer (rotate 10 files, 100MB each)
tshark -i eth0 -b filesize:102400 -b files:10 -w ring.pcapng

# Extract HTTP objects
tshark -r capture.pcapng --export-objects http,./exported_files/

# Protocol hierarchy statistics
tshark -r capture.pcapng -z io,phs

# TCP conversation statistics
tshark -r capture.pcapng -z conv,tcp

Companion CLI Tools

8. Network Forensics & Security

Wireshark is an indispensable tool for security investigations. Here are the key filters for detecting malicious activity.

Port Scan Detection

# TCP SYN scan (many SYN, few established connections)
tcp.flags.syn == 1 && tcp.flags.ack == 0

# NULL scan (no flags set)
tcp.flags == 0x000

# XMAS scan (FIN+PSH+URG)
tcp.flags.fin == 1 && tcp.flags.push == 1 && tcp.flags.urg == 1

# Many RST responses (closed ports)
tcp.flags.reset == 1

Threat Detection Filters

9. VoIP & SIP/RTP Analysis

SIP Call Analysis

# All SIP traffic
sip

# Call initiation
sip.Method == "INVITE"

# Call termination
sip.Method == "BYE"

# SIP errors
sip.Status-Code >= 400

# RTP media streams
rtp

# RTCP quality reports
rtcp

Use Telephony > VoIP Calls for a complete call listing with duration and codecs. Telephony > RTP Player can play back captured audio. Call quality issues show as jitter >30ms, packet loss >1%, or latency >150ms.

10. Wireless (802.11) Capture

Wireless capture requires your adapter to support monitor mode. Key filters for WiFi analysis:

# Management frames (beacons, probes, auth)
wlan.fc.type == 0

# Beacon frames
wlan.fc.type_subtype == 0x0008

# Specific SSID
wlan.ssid == "MyNetwork"

# Deauthentication frames (attack indicator!)
wlan.fc.type_subtype == 0x000c

# WPA handshake capture
eapol

# Probe requests (device discovery)
wlan.fc.type_subtype == 0x0004

11. Performance & Statistics

Performance Problem Filters

Statistics Menu Quick Reference

• Statistics > Protocol Hierarchy — Protocol breakdown by percentage
• Statistics > Conversations — Top talkers by bytes/packets
• Statistics > Endpoints — All unique endpoints with traffic volume
• Statistics > I/O Graphs — Visual traffic over time (add custom filters)
• Statistics > Flow Graph — Sequence diagram between hosts

12. Keyboard Shortcuts

Top 15 Must-Know Filters

If you remember nothing else from this cheat sheet, memorize these 15 filters. They'll solve 90% of your network analysis needs:

ip.addr == x.x.x.x             # Traffic involving specific IP
tcp.port == 80                   # HTTP port traffic
dns                              # All DNS traffic
http.request                     # HTTP requests only
tcp.flags.syn == 1               # Connection initiations
tcp.flags.reset == 1             # Connection resets
tcp.analysis.retransmission      # Retransmitted packets
!arp && !dns                     # Exclude ARP and DNS noise
tcp.stream eq N                  # Follow specific TCP stream
http.response.code >= 400        # HTTP errors
tls.handshake                    # TLS handshakes
frame.len > 1000                 # Large packets only
tcp.analysis.zero_window         # Zero window events
dns.flags.rcode != 0             # DNS errors
tcp.analysis.flags               # All TCP problems

Related Resources