HakTip 121 – Wireshark 101: Expressions Examples

On this week’s episode of HakTip, Shannon Morse gives several expression examples that you can use when working within the Display Filter Box.

Download HD  |   Download MP4


Today is all about expression examples. It’s a little weird to work within the boundaries of this little text box, and what it’ll accept. Throughout the years, Wireshark has been updated and so has the syntax of the expressions it’ll accept. Today, I’m using Wireshark v. 1.12.1. I’ll start with some hostname and addressing filters. I ran a Wifi Packet Capture on my network and I want to find all the packets related to a source of xxx.xxx.xxx.xxx. I’ll type ip.src == This tells Wireshark I’m looking for a source IP that is equal to xxx.xx.xxx.xxx. If I change this to ip.src_host I’ll get pretty much the same output. If I change it to ip.addr, I’ll get anything that relates to that IP address, or ip.dst will give me just destination outputs. If you’re on an IPV6 network, change IP to ipv6. And change the IP address to the ipv6 address you’re looking for. It’ll look like 2001:0db8:0000:0000:0000:ff00:0042:8329 with 8 groups of 16 bits each. If you can packet capture using DNS host names, you can type ip.host == nameofthehost. Now try ip.addr == and this will show anything on that network within that range.

Since I’m on an ipv4 network, I can also do about a hundred other options… I should mention that it would be incredibly hard to memorize them all, so go to this website for an updated reference.

Moving on, you can just filter by qualifier protocol, in this case being http, arp, udp, tcp, etc etc. I could just type arp or udp or tcp or http etc to just get a listing of everything from that protocol. If I want to search by more than one protocol, I’ll type http && udp or http || arp. And of course I can add ID’s to each of these, such as ip.addr == xxx.xxx.xxx.xxx && tcp.port == 80. Speaking of ports, you can find a tcp port with tcp.port == xx. And lastly, use an expression like this one ip.dst != to filter out any of that IP address. That’s all for now!

Let me know what you think. Send me a comment below or email us at [email protected]. And be sure to check out our sister show, Hak5 for more great stuff just like this. I’ll be there, reminding you to trust your technolust.

1 Comment

  • Ely

    I JUST ordered the ALFA USB WiFi AWUS036NEH a couple days before the video and of course had to take advantage of the SNUBS code so ended up finding something extra in the store to use it. Love the show, keep up the good work! ^_^

  • LenardLWenske

    Hi I am so happy I found your blog page, I really found you by error, while I was researching on Aol for something else,
    Nonetheless I am here now and would just like to say thanks a lot for a incredible post and a all
    round interesting blog (I also love the theme/design), I don’t have time to
    browse it all at the moment but I have bookmarked it and also included your RSS feeds,
    so when I have time I will be back to read a great deal more, Please do
    keep up the superb b.

  • CindieCEnno

    Hey! Someone in my Myspace group shared this website with us so I came to check it out.
    I’m definitely loving the information. I’m book-marking and will be tweeting
    this to my followers! Excellent blog and terrific design.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>