Filter by IP address: displays all traffic from IP, be it source or destination
ip.addr == 192.168.1.1
Filter by source address: display traffic only from IP source
ip.src == 192.168.0.1
Filter by destination: display traffic only form IP destination
ip.dst == 192.168.0.1
Filter by IP subnet: display traffic from subnet, be it source or destination
ip.addr = 192.168.0.1/24
Filter by protocol: filter traffic by protocol name
dns
http
ftp
arp
ssh
telnet
icmp
Exclude IP address: remove traffic from and to IP address
!ip.addr ==192.168.0.1
Display traffic between two specific subnet
ip.addr == 192.168.0.1/24 and ip.addr == 192.168.1.1/24
Display traffic between two specific workstations
ip.addr == 192.168.0.1 and ip.addr == 192.168.0.2
Filter by MAC
eth.addr = 00:50:7f:c5:b6:78
Filter TCP port
tcp.port == 80
Filter TCP port source
tcp.srcport == 80
Filter TCP port destination
tcp.dstport == 80
Find user agents
http.user_agent contains Firefox
!http.user_agent contains || !http.user_agent contains Chrome
Filter broadcast traffic
!(arp or icmp or dns)
Filter IP address and port
tcp.port == 80 && ip.addr == 192.168.0.1
Filter all http get requests
http.request
Filter all http get requests and responses
http.request or http.response
Filter three way handshake
tcp.flags.syn==1 or (tcp.seq==1 and tcp.ack==1 and tcp.len==0 and tcp.analysis.initial_rtt)
Find files by type
frame contains “(attachment|tar|exe|zip|pdf)”
Find traffic based on keyword
tcp contains facebook
frame contains facebook
Detecting SYN Floods
tcp.flags.syn == 1 and tcp.flags.ack == 0
73