Wireshark
Website here & doc here
Basic commands
- filter with a protocol:
<protocol name>
- filter with a word:
<protocol name> contains <word>
- filter with an (destination or source) ip:
ip.addr == <address>
- filter with a destination ip:
ip.dst == <address>
- filter with a source ip:
id.src == <address>
- filter with a port:
<protocol name>.<port number>
- filter with tcp analysis:
tcp.analysis
- filter with tcp flag analysis:
tcp.analysis.flags
- filter with http requests:
http.request
- filter with an http response status code:
http.response.code == <response status code>
- filter with a tcp flag:
tcp.flags.<flag name> == <value>
- or operator:
|| (alternative or)
- and operator:
&& (alternative and)
- not operator:
! (alternative not)
- equal operator:
== (alternative eq)
- example combination of rules (in this case remove arp, icmp and dns protocol):
!(arp or icmp or dns)
- filter with a (tcp/udp/tls/http) stream: right click on a packet ==> follow ==> stream
(equivalent of <protocol name>.stream == <number>)
Useful links
- tcp flags here
- http(s) response status codes here