Wireshark Display Filters
A capture has thousands of packets. Display filters are how you find the few that matter. Type each one into the Packet Lab filter bar on the right and watch the list shrink, the bar turns green when the syntax is valid.
Filter by IP
ip # any IP packet
ip.addr == 192.168.1.10 # source OR destination is this address
ip.src == 192.168.1.10 # only when it is the source
ip.dst == 8.8.8.8 # only when it is the destination
ip.addr matches either direction; ip.src / ip.dst pin down one.
Filter by protocol
tcp udp dns
http tls ssl
Bare protocol names keep only packets of that type. http.request and http.response split web traffic by direction:
http.request # only requests the client sent
http.response # only responses the server sent
DNS has a handy text match:
dns.qry.name contains "google"
Filter by port
tcp.port == 80 tcp.port == 443
tcp.srcport == 443 tcp.dstport == 80
udp.port == 53
tcp.port matches whether it is the source or destination port; srcport / dstport are specific.
Filter by TCP flags
Flags reveal the state of a TCP conversation:
tcp.flags.syn == 1 # connection starts (SYN and SYN-ACK)
tcp.flags.ack == 1 # acknowledgements
tcp.flags.fin == 1 # graceful close
tcp.flags.reset == 1 # abrupt reset (often a refused or scanned port)
Try tcp.flags.reset == 1, you will find the packet where a scan against port 22 got slammed shut with a RST.
Combine filters
Use && (AND) to require multiple conditions at once:
ip.addr == 192.168.1.10 && tcp
dns && ip.src == 192.168.1.10
tcp.port == 443 && ip.dst == 8.8.8.8
That last one may return zero packets, and that is a real, correct answer: nothing in this capture is HTTPS to the DNS server. Empty results are information too.
Try it
Work down the list: dns, then tcp.port == 443, then tcp.flags.syn == 1, then dns.qry.name contains "google", and finally ip.addr == 192.168.1.10 && tcp. Click the example chips if you want them filled in for you. This is the single most-used skill in everyday traffic analysis.