15 Top Wireshark IP Filters with Examples [Cheat Sheet]


Wireshark

Author: Celal Dogan
Reviewer: Deepak Prasad

Wireshark is a powerful network analysis tool for network professionals. It provides great filters with, which you can easily zoom in to where you think the problem may lie. The primary benefit of the filters is to remove the noise (the traffic you are not interested in) and they help you narrow down the type of data you are looking for. That is why being able to use the filters properly is very important.

 

1. IP Header Format

To be able to write effective filters, you need to have solid understanding of IP header. Following figure shows IP header format.

15 Top Wireshark IP Filters with Examples [Cheat Sheet]
Source: https://blog.apnic.net
  • Version: This field is used to specify the protocol version. For IPv4, this is always equal to 4.
  • Internet Header Length (IHL): This field contains the size of the IPv4 header and it can vary due to the “Options” in the header.
  • Type of Service (ToS): It is also known as Differentiated Services Code Point (DSCP), which is used for Quality of Service (QoS).
  • Total Length: This field defines the size of the packet in bytes, including header and data.
  • Identification: This field is mainly used for uniquely identifying the group of fragments of a single IP datagram.
  • Flags: These flags are used to control packet fragmentation during the transmission.
  • Fragment Offset: This field tells the receiver the position of a fragment in the original datagram.
  • Time to Live: This field indicates the maximum time the datagram is allowed to remain in the internet system (Number of maximum hops over which the packet can be routed).
  • Protocol: This field specifies the protocol it carries.
  • Header Checksum: This field is used to error checking.
  • Source Address: The source address of the packet.
  • Destination Address: The destination address of the packet.
  • Options: This field is not often used, but it can be used for many purposes like time stamping packets, source routing, tracing a route, etc.
  • Padding: This field is used to ensure that the internet header ends on a 32-bit boundary.

Following screenshot shows a typical IP header for a packet.

15 Top Wireshark IP Filters with Examples [Cheat Sheet]

 

2. Filtering a Host by Source IP Address

When we would like to find all packets belong to a sender, we would use the filter below.

ip.src == 23.217.250.58

Whenever we type any commands in the filter command box, it turns green if the command is correct. Otherwise, it turns red.

15 Top Wireshark IP Filters with Examples [Cheat Sheet]

 

3. Filtering a Host by Its Destination IP Address

A similar filter can be used for finding the destination host (the receiver).

ip.dst == 192.168.1.4
15 Top Wireshark IP Filters with Examples [Cheat Sheet]

 

4. Filtering Packets Destined or Sourced to/from a Specific IP

When we would like to find all packets coming and going to a host, we would use the filter below.

ip.addr == 192.168.1.4
15 Top Wireshark IP Filters with Examples [Cheat Sheet]

 

5. Filtering Conversations Between 2 Hosts

Sometimes, we need to focus only on packets between two hosts. We would use the filter below.

ip.addr eq 192.168.1.4 and ip.addr eq 23.217.250.58
15 Top Wireshark IP Filters with Examples [Cheat Sheet]

 

6. Filtering a Subnet

Wireshark let you specify the network and its subnet length. We need that filter when we would like to see the packets coming and going to a network.

ip.addr ==192.168.1.0/24
15 Top Wireshark IP Filters with Examples [Cheat Sheet]

 

7. Filtering a Range of IP Addresses

When we need to filter packets belong to only several hosts. We would use the filter below.

ip.addr >192.168.1.0 and ip.addr <192.168.1.10
15 Top Wireshark IP Filters with Examples [Cheat Sheet]

 

8. Filtering Out a Host or Subnet

Some hosts may produce a lot packet that distract us during troubleshooting. We use the following display filter to show all packets that do not contain a specific IP in either the source or destination field.

For filtering out the host: !(ip.addr==192.168.1.4)

The same logic can be used for filtering out the subnet as well:  !(ip.addr==192.168.1.4/24)

15 Top Wireshark IP Filters with Examples [Cheat Sheet]

 

9. Filtering the Packets Larger Than 1500 Bytes (Default MTU Size)

Network MTU size can often be source of problem. Therefore, we may need to check if there are   packets larger than the default MTU size.

ip.len > 1500
15 Top Wireshark IP Filters with Examples [Cheat Sheet]

 

10. Filtering the Packets That Should Not Be Fragmented

Some applications do not want their packets to be fragmented in the network. When the devices on the path (routers, firewalls, switches, etc.) receive these packets, they check if they are larger than the MTU size, if so, the devices drop these packets, which causes failures. Following filter can be used.

ip.flags.df == 1
15 Top Wireshark IP Filters with Examples [Cheat Sheet]

 

11. Filtering Corrupted Packets

The 16-bit Header Checksum field is used for error-checking of the IPv4 header. During transmission, packets IP header may corrupt, resulting in packet dropping. The checksum is used to detect the corrupted packets. The filter below can be used to find these packets.

ip.checksum_bad.expert

NOTE:

When IP checksum is offloaded, the same warning can be seen in the Wireshark, which means the packet is not corrupted.
15 Top Wireshark IP Filters with Examples [Cheat Sheet]

 

12. Filtering an IP By a City, Country etc

There are times when we need to trace an IP address back to its origin (Country, City, AS Number etc.). With help of IP geolocation, we can find geographic location of an IP address. Especially when we do network forensic analysis which aims to detect attack patterns and identify attackers. I explain that in this article (https://www.golinuxcloud.com/trace-ip-addresses-wireshark/).

The display filter below filters IP addresses from Lübeck city.

ip.geoip.src_city== "Lübeck”
15 Top Wireshark IP Filters with Examples [Cheat Sheet]

The same logic can be use for country as well.

ip.geoip.src_country == "United States"

 

13. Filtering Broadcast and Multicast Packets

A Broadcast or multicast storms is an abnormally high number of broadcast packets within a short period of time, which fails our network. To checking the ratio of these packets can give an idea about storms and network loops. Following filter is used to find the multicast and broadcast packets.

(eth.dst.lg == 1  ) or (eth.addr == ff:ff:ff:ff:ff:ff)
15 Top Wireshark IP Filters with Examples [Cheat Sheet]

 

14. Filtering Only IPv4 Packets

Sometimes, we need to filter out broadcasts, multicasts, IPv6 packets so that we would focus on the relevant packets. The filter below is used to show only IPv4 packets.

ip
15 Top Wireshark IP Filters with Examples [Cheat Sheet]

 

15. Filtering Only IPv6 Packets

IPv6 is short for "Internet Protocol version 6". IPv6 is the "next generation" protocol designed by the IETF to replace the current version of Internet_Protocol, IP Version 4 or IPv4. When using a high traffic link, we may need to filter only IPv6 traffic. Following filter can be used for this purpose.

15 Top Wireshark IP Filters with Examples [Cheat Sheet]

 

Final Thoughts

Wireshark has a powerful filter engine that helps remove the noise from a packet trace and lets you see only the packets that interest you. With using these filter properly, troubleshooting takes much less time.

https://www.rfc-editor.org/rfc/rfc791
https://wiki.wireshark.org/IPv6.md

 

Celal Dogan

Celal Dogan

He is proficient in System Administration, Python, Computer Network, Network Engineering, PHP, Web Testing, Penetration Testing, Wireshark, RADIUS, Cisco Router, TCP/IP, Kali Linux, OSPF, NPS, and Multiprotocol BGP. You can connect with him on his LinkedIn Profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

Leave a Comment