Filter where the source ip is not

ip.src !=

Filter where the destination ip is not

ip.dst !=

Find packets with a string in them

frame contains <thing to search>

For example:

frame contains google

Resource: https://www.cellstream.com/reference-reading/tipsandtricks/431-finding-text-strings-in-wireshark-captures

Show hostnames

Go to View -> Name Resolution -> Check the box next to Resolve Network Addresses

Resource: https://unix.stackexchange.com/questions/390852/how-to-filter-by-host-name-in-wireshark

Filter TLS traffic


If you want to only show TLS v1.2 traffic, then you would run:

ssl.record.version == 0x0303


  • 0x0300 SSL 3.0
  • 0x0301 TLS 1.0
  • 0x0302 TLS 1.1
  • 0x0303 TLS 1.2

Resource: https://security.stackexchange.com/questions/190532/filter-tls-in-wireshark-or-other-monitoring-tool


Filter on port 80

tcpdump port 80

Filter on source port 80

tcpdump src port 80

Destination port 80

tcpdump dest port 80

All traffic for

tcpdump host

Save output

tcpdump tcp -w output.pcap

Resource: https://medium.com/swlh/introduction-to-tcpdump-635653f56177

Filter on service

In this case, we are filtering icmp traffic on the eth0 interface where the ICMP type field value is icmp-echo. We finish it with a full protocol decode (-vv) aka verbose output.

tcpdump -i eth0 icmp and icmp[icmptype]=icmp-echo -vv

Resources: http://alumni.cs.ucr.edu/~marios/ethereal-tcpdump.pdf http://www.networksorcery.com/enp/protocol/icmp/msg8.htm

Listen for traffic over port 389

tcpdump -i eth0 -nn port 389

Resource: https://hackertarget.com/tcpdump-examples/