Wireshark filter cheat sheet

This will only show packets containing the selected IP address. This can be either the source or the destination IP:

ip.addr ==x.x.x.x

This will show the communication between two IP addresses, which can be from the direction of the source or the destination:

ip.addr ==x.x.x.x && ip.addr ==x.x.x.x

You could also just type in the name of the protocol that you want to see:

http or dns

This filter will only show the TCP packets that are passing through the specified port number:

tcp.port==xxx

You may further specify the details of this filtering option to narrow your search of the TCP packets:

tcp.flags.reset==1

To identify certain types of web traffic, such as requests that are being made to certain websites on the network, enter the following:

http.request

Put an exclamation in front followed by the initial parentheses:

!(arp or icmp or dns)

tcp contains searches for exact criteria in the converted ASCII of every TCP packet captured:

tcp contains xxx

This will show direct communication between an assigned source IP and a specified assigned destination IP:

ip.src==x.x.x.x and ip.dst==x.x.x.x

You can input multiple protocols together by typing in or and using the || symbol:

smb || nbns || dcerpc || nbss || dns