Ten Powerful Wireshark Filters

Wireshark logo
Here are some great filter terms that can pick out the important packets.  For easy use, copy and paste them into the Filter field of Wireshark.

Filter Expression Results
A simple expression that reveals all of the TCP issues identified in a trace.  You'll need to do further work to work out what's wrong, but this is a great short cut.  A point worth noting is that Keep-Alive packets pass this filter, but TCP Keep-Alive is often not an indication of a problem.
http.time > 1
Check to see if you trace contains any HTTP response times of greater than 1 second.  The packet list will show HTTP Responses. To get the matching request, right click on the response and choose Conversation Filter -> TCP.
smb2.cmd==3 or smb2.cmd==5 After applying this filter the Info column shows all of the Tree (share) Connects, directory opens and file opens in the trace.  This is a great way to get your bearings in an SMB2 trace.
http.request && !(http.request.uri contains ".ico" or http.request.uri contains ".css" or http.request.uri contains ".js" or http.request.uri contains ".gif"  or http.request.uri contains ".jpg") Don't be put off by the size of this filter term; it's quite simple and very powerful.  With this term you can get a high level view of web activity.  The terms within the parenthesis simply exclude images, Javascript files and style sheets - what's sometimes called the page furniture.  If you have pages in the trace that contain other embedded objects, simply add another exclusion term.
tcp.len > 0 Ridiculously simple, but so powerful.  Shows everything that the client and server programs are seeing.  TCP Keep-Alive has a "phantom" byte payload and you can eliminate these like this:
tcp.len>0 && !(tcp.analysis.keep_alive==1)
transum If you use the TRANSUM plugin, this simple term selects all packets with performance data.  Use it in conjunction with the TRANSUM Wireshark profile to get an instant view of performance.
transum && dns Study DNS performance.
transum.art > 1 Select any response times greater than 1 second (adjust the number to your choice).
transum.reqspread > 0.2 or transum.rspspread > 0.2
Identify slow network performance.  In this example we will select any interactions between a client and server where the network time is more than 200ms.  To make this reliable, it's best to use the filter on matching traces from the client and server side of the network.
(frame.time >= "Oct 12, 2016 15:44:30.889427000" && frame.time <= "Oct 12, 2016 15:45:47.370937000") or tcp.flags.syn==1 This one is a little subtle but can save you a lot of time.  Let's imagine that you trace a PC connecting to a file server and eventually capture a performance problem.  To speed up analysis, you may decide to generate a trace clip for a narrow period of time; makes a lot of sense.  The trouble is that your file won't include the SYN and SYN/ACK and so Wireshark won't have TCP Windows Scaling or negotiated MSS details.  Simply add or tcp.flags.syn==1 to the filter term to add the SYN information.  If you have Workbench, look for the Inc. SYN option in the Filter tool.


Last modified: Saturday, 18 February 2017, 8:19 PM