Menu Search Sign up

Wireshark

Display-filter TCP traffic by IP and ports

The following rule will filter the traffic so that only traffic to/from TCP port 4444 or traffic to/from IPv4 address 172.17.84 will be displayed:

tcp.srcport == 4444 or tcp.dstport == 4444 or ip.src == 172.17.1.84 or ip.dst==172.17.1.84

How to display-filter TCP traffic by TCP flags?

tcp.flags.reset == 0x02

tcp.flags.syn == 0x02

tcp.flags.ack == 0x02

etc.

How to change the timestamp display format?

Navigate to View/Time Display Format and choose a timestamp display format you can understand. 

http://www.wireshark.org/docs/wsug_html_chunked/ChWorkTimeFormatsSection.html

What is Unix epoch time?

The Unix epoch (or Unix time or POSIX time or Unix timestamp) is the number of seconds that have elapsed since January 1, 1970 (midnight UTC/GMT), not counting leap seconds (in ISO 8601: 1970-01-01T00:00:00Z). 

http://www.epochconverter.com/?TimeStamp=18188500

How to specify capture filters and options to capture data?

1. Capture/Options...

2. Double-click the interface(s) on which you want to capture data

3. Specify your capture filter in the "Edit Interface Settings" dialog box, then close it.

4. Specify your capture options in the "Wireshark: Capture Options" dialog box, such as which interface to capture data, whether in promiscuous mode, store captured data in single or multiple files, the location of the log file, when to stop, etc.

5. Click "start" in the "Wireshark: Capture Options" dialog box

Capture filter syntax

Wireshark capture filter syntax is different from its display filter syntax. Below is an example capture filter:

tcp port 6600 or tcp port 104

For more, refer to: http://www.wireshark.org/docs/wsug_html_chunked/ChCapCaptureFilterSection.html