Wireshark Ref

(Some content generated by ChatGPT)

Name Resolution

Edit → Preferences → Name Resolution
Use captured DNS packet data for address resolution
Use an external network name resolver

Advanced Searching

Function	Description	Example Usage	Notes
`lower()`	Converts all characters in a string to lowercase for comparison.	`lower(dns.qry.name) == "example.com"`	Useful for case-insensitive matching.
`upper()`	Converts all characters in a string to uppercase for comparison.	`upper(http.host) == "EXAMPLE.COM"`	Useful when hostnames/strings vary in case.
`match`	Matches a string against a regular expression (regex).	`http.host matches ".example."`	Case-sensitive by default; use `(?i)` for case-insensitive regex.
`string()`	Converts a field into a string representation for comparison.	`string(frame.number) contains "10"`	Often used to treat numeric fields as text.
`contains`	Checks if a string contains the specified substring (case-sensitive match).	`http.user_agent contains "Mozilla"`	Partial substring matching.

Searching by IP


ip.addr == <address>

Searching by MAC


eth.addr == <address>

TCP Flag Filters

Only SYN flag

SYN flag is set. The rest of the bits are not important.


tcp.flags == 2
tcp.flags.syn == 1

Only ACK flag

ACK flag is set. The rest of the bits are not important.


tcp.flags == 16
tcp.flags.ack == 1

Only SYN + ACK flags

SYN and ACK are set. The rest of the bits are not important.


tcp.flags == 18
(tcp.flags.syn == 1) and (tcp.flags.ack == 1)

Only RST flag

RST flag is set. The rest of the bits are not important.


tcp.flags == 4
tcp.flags.reset == 1

Only RST + ACK flags

RST and ACK are set. The rest of the bits are not important.


tcp.flags == 20
(tcp.flags.reset == 1) and (tcp.flags.ack == 1)

Only FIN flag

FIN flag is set. The rest of the bits are not important.


tcp.flags == 1
tcp.flags.fin == 1

Address Resolution Protocol (ARP) Filters

Opcode 1

ARP Requests


arp.opcode == 1

Opcode 2

ARP Responses


arp.opcode == 2

ARP Scanning


arp.dst.hw_mac == 00:00:00:00:00:00

ARP Poisoning


arp.duplicate-address-detected or arp.duplicate-address-frame

ARP Flooding


((arp) && (arp.opcode == 1)) && (arp.src.hw_mac == target-mac-address)

Domain Name Service

DNS Hidden Commands


dns.qry.name.len > 15 and !mdns

Internet Control Message Protocol (ICMP)

ICMP Hidden Commands


data.len > 64 and icmp

HTTPS / TLS

TLS Client Request


tls.handshake.type == 1

TLS Server Response


tls.handshake.type == 2

Local Simple Service Discovery Protocol (SSDP)


ssdp

Initial Handshake

Client Hello


(http.request or tls.handshake.type == 1) and !(ssdp)

Server Hello


(http.request or tls.handshake.type == 2) and !(ssdp)

Wireshark Ref

Name Resolution

Advanced Searching

Searching by IP

Searching by MAC

TCP Flag Filters

Only SYN flag

Only ACK flag

Only SYN + ACK flags

Only RST flag

Only RST + ACK flags

Only FIN flag

Address Resolution Protocol (ARP) Filters

Opcode 1

Opcode 2

ARP Scanning

ARP Poisoning

ARP Flooding

Domain Name Service

DNS Hidden Commands

Internet Control Message Protocol (ICMP)

ICMP Hidden Commands

HTTPS / TLS

TLS Client Request

TLS Server Response

Local Simple Service Discovery Protocol (SSDP)

Initial Handshake

Adding Key Log files

Bonus

Wireshark can create Firewall Rules

Wireshark Ref

Name Resolution

Advanced Searching

Searching by IP

Searching by MAC

TCP Flag Filters

Only SYN flag

Only ACK flag

Only SYN + ACK flags

Only RST flag

Only RST + ACK flags

Only FIN flag

Address Resolution Protocol (ARP) Filters

Opcode 1

Opcode 2

ARP Scanning

ARP Poisoning

ARP Flooding

Domain Name Service

DNS Hidden Commands

Internet Control Message Protocol (ICMP)

ICMP Hidden Commands

HTTPS / TLS

TLS Client Request

TLS Server Response

Local Simple Service Discovery Protocol (SSDP)

Initial Handshake

Adding Key Log files

Bonus

Wireshark can create Firewall Rules