# Display vs Capture Filters
The single most important distinction in Wireshark. Capture filters decide what gets recorded; display filters refine what you see afterwards — different syntax, different purpose.
| Capture filter | Display filter | |
|---|---|---|
| Syntax | BPF (tcpdump) | Wireshark |
| Example | host 10.0.0.1 and port 80 | ip.addr==10.0.0.1 && tcp.port==80 |
| When | At capture time | After capture |
| Changeable | No (fixed) | Yes, anytime |
tcp.port==80 is invalid as a capture filter.# Display Filters — Essentials
Type these in the filter bar. Combine with && (and), || (or), ! (not).
ip.addr == 10.0.0.1ip.src == 10.0.0.1 && ip.dst == 10.0.0.2tcp.port == 443tcp.flags.syn == 1 && tcp.flags.ack == 0tcp.analysis.retransmissionframe contains "password"tcp matches "(?i)pass"!(arp || icmp || dns)# Protocol Filters
Zoom into a single protocol fast.
http.request.method == "POST"http.response.code == 200dns.qry.name contains "example"tls.handshake.type == 1ftp || telnetsmb2 || smbkerberoshttp.request.uri contains ".php"# Capture Filters (BPF)
Set these before capturing to limit what is recorded. Same syntax as tcpdump.
host 10.0.0.1net 10.0.0.0/24port 80 or port 443tcp port 22 and host 10.0.0.5not arp and not broadcastether host 00:11:22:33:44:55# Follow Streams
Reassemble a whole conversation into readable text — the fastest way to read an exchange.
Right-click packet → Follow → TCP StreamFollow → HTTP StreamFollow → UDP Streamtcp.stream == 3# Keyboard Shortcuts
Speed up navigation and marking.
| Shortcut | Action |
|---|---|
| Ctrl+E | Start / stop capture |
| Ctrl+K | Capture options |
| Ctrl+/ | Jump to the filter bar |
| Ctrl+Alt+Shift+T | Follow TCP stream |
| Ctrl+M | Mark / unmark a packet |
| Ctrl+G | Go to packet number |
| Ctrl+F | Find packet |
| Ctrl+T | Set/format time display |
# Extract Credentials & Files
Cleartext protocols hand you credentials; HTTP hands you files.
File → Export Objects → HTTPFile → Export Objects → SMB / TFTPftp.request.command == "USER" || ftp.request.command == "PASS"http.authorizationTools → Credentials (Wireshark 3.1+)# Statistics & Overview
Understand a capture at a glance before diving into packets.
Statistics → Protocol HierarchyStatistics → ConversationsStatistics → EndpointsStatistics → I/O GraphStatistics → HTTP → Requests# tshark — Command Line
Wireshark's CLI for scripting, remote capture and huge files. Same display-filter syntax.
tshark -Dtshark -i eth0 -w out.pcaptshark -r capture.pcap -Y "http.request" -T fields -e http.host -e http.request.uritshark -r capture.pcap -q -z conv,tcptshark -r capture.pcap -Y "ftp.request.command==PASS" -T fields -e ftp.request.argssh user@host "tcpdump -i eth0 -U -w -" | wireshark -k -i -# Decrypt TLS/HTTPS
You need the session keys — ciphertext alone can't be decrypted.
export SSLKEYLOGFILE=~/tls-keys.logPreferences → Protocols → TLS → (Pre)-Master-Secret log filenametshark -r capture.pcap -o tls.keylog_file:tls-keys.log -Y http2❓ Wireshark FAQ
Capture filters (BPF, e.g. host 10.0.0.1 and port 80) decide what's recorded and can't change afterwards. Display filters (ip.addr==10.0.0.1 && tcp.port==80) only hide/show captured packets and change freely.
Right-click a packet → Follow → TCP Stream (or Ctrl+Alt+Shift+T). Wireshark reassembles the conversation as readable, colour-coded text — the fastest way to read HTTP or extract credentials.
ip.addr == 10.0.0.1 (to/from), ip.src == (source), ip.dst == (destination). Combine with &&, ||, !.
Files: File → Export Objects → HTTP/SMB/TFTP. Credentials: filter http.request.method == POST or Follow TCP Stream. FTP, Telnet, HTTP and SNMP often leak cleartext creds.
Wireshark's CLI — great for scripting and large files. E.g. tshark -r cap.pcap -Y 'http.request' -T fields -e http.host. Same display-filter syntax as the GUI.
On a switch you only see your own traffic + broadcasts. To see others' you need a SPAN/mirror port, a tap, or an active technique like ARP spoofing (authorized tests only). Promiscuous mode alone isn't enough on a switch.
Set SSLKEYLOGFILE before launching the browser, then point Wireshark to that key log (Preferences → Protocols → TLS). Without the keys you can't decrypt — capturing ciphertext isn't enough.
📚 Related Resources
- Nmap Cheatsheet — Scan to find hosts, then capture their traffic in Wireshark
- Hashcat Cheatsheet — Crack the NetNTLMv2 or WPA hashes you sniff from the wire
- Full Pentesting Cheatsheet — 200+ commands for web, network, AD and privesc
- Pentesting Glossary — Packet, BPF, MITM, promiscuous mode and 60+ key terms
Turn your capture findings into a professional PDF report. AI auto-fills CVE, CVSS and severity.
Want all 12,020+ commands?
This Wireshark cheatsheet is one branch of the map. Pentest Mindmap organizes 12,020+ commands across 34 categories — recon to post-exploitation — with instant search and one-click copy.
Start free →