Wireshark Cheatsheet 2026

Every Wireshark filter and shortcut you need — display filters, capture filters (BPF), following streams, protocol analysis, credential extraction and tshark. For network analysis, CTFs and authorized audits.

Last updated:

New to pentesting? Read our complete beginner's guide to see where packet analysis fits in the methodology.

Quick Navigation

01 Display vs Capture 02 Display Filters 03 Protocol Filters 04 Capture Filters (BPF) 05 Follow Streams 06 Keyboard Shortcuts 07 Extract Creds & Files 08 Statistics 09 tshark (CLI) 10 Decrypt TLS

# Display vs Capture Filters

The single most important distinction in Wireshark. Capture filters decide what gets recorded; display filters refine what you see afterwards — different syntax, different purpose.

Capture filterDisplay filter
SyntaxBPF (tcpdump)Wireshark
Examplehost 10.0.0.1 and port 80ip.addr==10.0.0.1 && tcp.port==80
WhenAt capture timeAfter capture
ChangeableNo (fixed)Yes, anytime
💡 Tip: Use capture filters to keep huge captures small; use display filters for analysis. They are NOT interchangeable — tcp.port==80 is invalid as a capture filter.

# Display Filters — Essentials

Type these in the filter bar. Combine with && (and), || (or), ! (not).

ip.addr == 10.0.0.1
Traffic to OR from an IP
ip.src == 10.0.0.1 && ip.dst == 10.0.0.2
Specific source and destination
tcp.port == 443
TCP traffic on a port (either direction)
tcp.flags.syn == 1 && tcp.flags.ack == 0
SYN packets only — spot connection attempts / scans
tcp.analysis.retransmission
Find retransmissions (troubleshoot loss/latency)
frame contains "password"
Match any packet containing a string
tcp matches "(?i)pass"
Case-insensitive regex match on TCP payload
!(arp || icmp || dns)
Hide noise — exclude ARP, ICMP and DNS

# Protocol Filters

Zoom into a single protocol fast.

http.request.method == "POST"
HTTP POST requests — often carry logins
http.response.code == 200
Successful HTTP responses
dns.qry.name contains "example"
DNS queries for a domain
tls.handshake.type == 1
TLS Client Hello — see negotiated SNI/host
ftp || telnet
Cleartext protocols — likely to leak credentials
smb2 || smb
SMB traffic — file shares and authentication
kerberos
Kerberos — spot AS-REQ/TGS for AD attacks
http.request.uri contains ".php"
Filter by URI pattern

# Capture Filters (BPF)

Set these before capturing to limit what is recorded. Same syntax as tcpdump.

host 10.0.0.1
Only traffic to/from a host
net 10.0.0.0/24
A whole subnet
port 80 or port 443
Web traffic only
tcp port 22 and host 10.0.0.5
SSH to a specific host
not arp and not broadcast
Drop ARP and broadcast noise at capture time
ether host 00:11:22:33:44:55
Filter by MAC address

# Follow Streams

Reassemble a whole conversation into readable text — the fastest way to read an exchange.

Right-click packet → Follow → TCP Stream
Reassemble the full TCP conversation (Ctrl+Alt+Shift+T)
Follow → HTTP Stream
Read the HTTP request/response as text
Follow → UDP Stream
For UDP-based protocols (DNS, syslog…)
tcp.stream == 3
Filter to just one stream by its index

# Keyboard Shortcuts

Speed up navigation and marking.

ShortcutAction
Ctrl+EStart / stop capture
Ctrl+KCapture options
Ctrl+/Jump to the filter bar
Ctrl+Alt+Shift+TFollow TCP stream
Ctrl+MMark / unmark a packet
Ctrl+GGo to packet number
Ctrl+FFind packet
Ctrl+TSet/format time display
💡 Tip: Right-click a field in the detail pane → Apply as Column to add it as a sortable column, and Apply as Filter to build a filter instantly.

# Extract Credentials & Files

Cleartext protocols hand you credentials; HTTP hands you files.

File → Export Objects → HTTP
Save all files transferred over HTTP
File → Export Objects → SMB / TFTP
Extract files from SMB or TFTP transfers
ftp.request.command == "USER" || ftp.request.command == "PASS"
FTP credentials in cleartext
http.authorization
HTTP Basic Auth header (base64 user:pass)
Tools → Credentials (Wireshark 3.1+)
Auto-list credentials found in the capture

# Statistics & Overview

Understand a capture at a glance before diving into packets.

Statistics → Protocol Hierarchy
See the protocol breakdown of the whole capture
Statistics → Conversations
Top talkers by IP/port — find the biggest flows
Statistics → Endpoints
All hosts seen, with packet/byte counts and geo-IP
Statistics → I/O Graph
Traffic over time — spot spikes and beacons
Statistics → HTTP → Requests
Every requested host and URL

# tshark — Command Line

Wireshark's CLI for scripting, remote capture and huge files. Same display-filter syntax.

tshark -D
List available capture interfaces
tshark -i eth0 -w out.pcap
Capture on eth0 to a file
tshark -r capture.pcap -Y "http.request" -T fields -e http.host -e http.request.uri
Print requested hosts and URIs from a capture
tshark -r capture.pcap -q -z conv,tcp
TCP conversation statistics on the command line
tshark -r capture.pcap -Y "ftp.request.command==PASS" -T fields -e ftp.request.arg
Extract FTP passwords from a capture
ssh user@host "tcpdump -i eth0 -U -w -" | wireshark -k -i -
Live remote capture over SSH into Wireshark

# Decrypt TLS/HTTPS

You need the session keys — ciphertext alone can't be decrypted.

export SSLKEYLOGFILE=~/tls-keys.log
Set before launching Chrome/Firefox to log TLS session keys
Preferences → Protocols → TLS → (Pre)-Master-Secret log filename
Point Wireshark at the key log to decrypt TLS
tshark -r capture.pcap -o tls.keylog_file:tls-keys.log -Y http2
Decrypt from tshark using the key log file

❓ Wireshark FAQ

Capture filters (BPF, e.g. host 10.0.0.1 and port 80) decide what's recorded and can't change afterwards. Display filters (ip.addr==10.0.0.1 && tcp.port==80) only hide/show captured packets and change freely.

Right-click a packet → Follow → TCP Stream (or Ctrl+Alt+Shift+T). Wireshark reassembles the conversation as readable, colour-coded text — the fastest way to read HTTP or extract credentials.

ip.addr == 10.0.0.1 (to/from), ip.src == (source), ip.dst == (destination). Combine with &&, ||, !.

Files: File → Export Objects → HTTP/SMB/TFTP. Credentials: filter http.request.method == POST or Follow TCP Stream. FTP, Telnet, HTTP and SNMP often leak cleartext creds.

Wireshark's CLI — great for scripting and large files. E.g. tshark -r cap.pcap -Y 'http.request' -T fields -e http.host. Same display-filter syntax as the GUI.

On a switch you only see your own traffic + broadcasts. To see others' you need a SPAN/mirror port, a tap, or an active technique like ARP spoofing (authorized tests only). Promiscuous mode alone isn't enough on a switch.

Set SSLKEYLOGFILE before launching the browser, then point Wireshark to that key log (Preferences → Protocols → TLS). Without the keys you can't decrypt — capturing ciphertext isn't enough.

📚 Related Resources

AI-Assisted Pentest Report

Turn your capture findings into a professional PDF report. AI auto-fills CVE, CVSS and severity.

Try for free →

Want all 12,020+ commands?

This Wireshark cheatsheet is one branch of the map. Pentest Mindmap organizes 12,020+ commands across 34 categories — recon to post-exploitation — with instant search and one-click copy.

Start free →