Mastoto // CyberKB
Back to archiveDFIRNetwork
Note / wireshark-cheatsheet
Wireshark Cheatsheet
Cheatsheet
Quick info
Updated1d ago
Reading time12 min
Views2
Read-only view
Updated 1d ago12 min read2 views
Wireshark Cheatsheet — SOC Analyst & DFIR
Display Filters (Most Critical)
Basic Syntax
Plain Text
protocol # Filter by protocol (e.g., tcp, udp, dns, http)
ip.addr == X.X.X.X # Match source OR destination IP
ip.src == X.X.X.X # Source IP only
ip.dst == X.X.X.X # Destination IP only
tcp.port == 443 # Match source OR destination port
tcp.srcport == 4444 # Source port only
tcp.dstport == 80 # Destination port only
frame.len > 1000 # Frames larger than 1000 bytesLogical Operators
Plain Text
&& or and # AND
|| or or # OR
! or not # NOT
== # Equal
!= # Not equal
> >= < <= # Comparison
contains # String contains
matches # Regex matchProtocol Filters — Quick Reference
Network Layer
Plain Text
ip # All IPv4
ipv6 # All IPv6
icmp # ICMP (ping, traceroute)
icmp.type == 8 # ICMP Echo Request (ping)
icmp.type == 0 # ICMP Echo Reply
arp # ARP traffic
arp.opcode == 1 # ARP Request
arp.opcode == 2 # ARP ReplyTransport Layer
Plain Text
tcp # All TCP
udp # All UDP
tcp.flags.syn == 1 # SYN packets
tcp.flags.syn == 1 && tcp.flags.ack == 0 # SYN only (new connections)
tcp.flags.rst == 1 # RST packets (connection resets)
tcp.flags.fin == 1 # FIN packets
tcp.analysis.retransmission # TCP retransmissions
tcp.analysis.zero_window # Zero window (flow control issues)
tcp.window_size == 0 # Zero window sizeApplication Layer
Plain Text
http # HTTP traffic
http.request # HTTP requests only
http.response # HTTP responses only
http.request.method == "GET"
http.request.method == "POST"
http.response.code == 200
http.response.code == 404
http.response.code >= 400 # All HTTP errors
http.host contains "evil"
http.request.uri contains ".exe"
http.request.uri contains "cmd="
http.user_agent contains "curl"
http.user_agent contains "python"
ssl || tls # All SSL/TLS traffic
tls.handshake # TLS handshakes only
tls.record.version == 0x0301 # TLS 1.0
dns # DNS traffic
dns.qry.name contains "pastebin"
dns.resp.len > 512 # Large DNS responses (DNS tunneling indicator)
dns.flags.rcode == 3 # NXDOMAIN (non-existent domain)
ftp # FTP control channel
ftp-data # FTP data channel
ftp.request.command == "PASS" # FTP password submission
smb || smb2 # SMB/SMB2 traffic
kerberos # Kerberos authentication
ldap # LDAP traffic
rdp # Remote Desktop Protocol
ssh # SSH traffic
smtp # SMTP emailSOC / Threat Hunting Filters
Scanning & Reconnaissance
Plain Text
# Port scan detection (many SYN, no data)
tcp.flags.syn == 1 && tcp.flags.ack == 0
# XMAS scan (FIN+PSH+URG)
tcp.flags.fin == 1 && tcp.flags.push == 1 && tcp.flags.urg == 1
# NULL scan (no flags)
tcp.flags == 0x000
# SYN scan (half-open)
tcp.flags == 0x002
# UDP scan
udp && !dns && !dhcp
# ICMP sweep
icmp.type == 8Lateral Movement
Plain Text
# SMB activity (pass-the-hash, lateral movement)
smb2 && smb2.cmd == 0x0000 # SMB2 Negotiate
smb2.filename contains "\\"
smb2.cmd == 0x0005 # SMB2 Create (file access)
smb.cmd == 0x0025 # SMB Trans (psexec indicator)
# Remote execution indicators
tcp.dstport == 445 # SMB
tcp.dstport == 135 # DCOM/RPC
tcp.dstport == 5985 || tcp.dstport == 5986 # WinRM
tcp.dstport == 22 # SSH
# Pass-the-Hash / Kerberos attacks
kerberos.msg_type == 30 # AS-REQ (Kerberoasting start)
kerberos.msg_type == 11 # AS-REP (AS-REP Roasting)Command & Control (C2) Detection
Plain Text
# Beaconing: regular intervals to same destination
# (Use Statistics > Conversations to identify)
# Common C2 ports
tcp.dstport == 4444 # Metasploit default
tcp.dstport == 1337
tcp.dstport == 8443
tcp.dstport == 8080
# DNS tunneling indicators
dns.resp.len > 512
dns.qry.name.len > 50
(dns.qry.type == 16) # TXT record queries (common in DNS tunneling)
# HTTP C2 indicators
http.request && http.user_agent == "" # Empty user agent
http && ip.dst == X.X.X.X # Repeated HTTP to suspicious IP
http.request.uri matches "\/[a-f0-9]{32}" # MD5-like URI (C2 checkin)
# HTTPS C2 - inspect certificate
tls.handshake.type == 11 # Certificate message
tls.handshake.extensions_server_name # SNI fieldExfiltration Detection
Plain Text
# Large outbound transfers
ip.dst == EXTERNAL_IP && frame.len > 1400
# DNS exfiltration
dns && dns.qry.name.len > 40
# ICMP tunneling (data in ping)
icmp.type == 8 && data.len > 64
# FTP data exfil
ftp-data
# HTTP POST exfiltration
http.request.method == "POST" && http.content_length > 10000
# Base64 in HTTP (common encoding for exfil)
http contains "==" && http.request.method == "POST"Credential Attacks
Plain Text
# HTTP Basic Auth
http.authorization contains "Basic"
# FTP login
ftp.request.command == "USER"
ftp.request.command == "PASS"
# Telnet (cleartext credentials)
telnet
# NTLM authentication
ntlmssp # NTLM SSP
ntlmssp.auth # NTLM Authenticate message
# Kerberoasting
kerberos.msg_type == 12 # TGS-REP (ticket response)Malware Traffic Patterns
Plain Text
# EternalBlue (MS17-010) exploit
tcp.dstport == 445 && tcp.flags.syn == 1
# Mimikatz LSASS dump (LSASS remote access via SMB)
smb2.filename contains "lsass"
# Cobalt Strike default port
tcp.dstport == 50050
# Meterpreter reverse TCP
tcp.srcport == 4444 || tcp.dstport == 4444
# PowerShell download cradle indicators
http.request.uri contains ".ps1"
http.request.uri contains "powershell"
# Document-based malware (macro download)
http.request.uri contains ".doc" || http.request.uri contains ".xls"
http && http.request.uri contains ".exe" && ip.dst != KNOWN_GOODDFIR — Forensic Analysis Filters
Timeline & Session Reconstruction
Plain Text
# All traffic to/from compromised host
ip.addr == VICTIM_IP
# Traffic during incident window
frame.time >= "2024-01-15 08:00:00" && frame.time <= "2024-01-15 10:00:00"
# First contact with external IP
ip.src == VICTIM_IP && ip.dst == ATTACKER_IP
# Full conversation (follow stream for context)
tcp.stream eq N # Replace N with stream indexFile Extraction Indicators
Plain Text
# HTTP file downloads
http.request.uri contains ".exe"
http.request.uri contains ".dll"
http.request.uri contains ".bat"
http.request.uri contains ".vbs"
http.request.uri contains ".ps1"
http.request.uri contains ".hta"
http.request.uri contains ".zip"
http.request.uri contains ".7z"
# FTP file transfers
ftp.request.command == "RETR" # File download via FTP
ftp.request.command == "STOR" # File upload via FTP
# SMB file operations
smb2.cmd == 0x0005 # Create (file open/create)
smb2.cmd == 0x0009 # Read
smb2.cmd == 0x000E # WritePersistence Mechanisms
Plain Text
# WMI traffic (remote WMI for persistence/exec)
tcp.dstport == 135
# Scheduled task via SMB (remote AT/schtasks)
smb2 && smb2.filename contains "schedlgu"
# Registry modifications over SMB
smb2.filename contains "system32\\config"TShark Command-Line Reference
Basic Capture & Read
Bash
# Read pcap file
tshark -r capture.pcap
# Apply display filter
tshark -r capture.pcap -Y "http.request"
# List interfaces
tshark -D
# Capture on interface (live)
tshark -i eth0
# Capture with filter and write to file
tshark -i eth0 -w output.pcap -f "port 80"
# Read and write filtered subset
tshark -r big.pcap -Y "ip.addr == 10.0.0.5" -w filtered.pcapFields & Output Formatting
Bash
# Extract specific fields
tshark -r capture.pcap -T fields -e ip.src -e ip.dst -e tcp.dstport
# Extract HTTP hosts
tshark -r capture.pcap -Y "http.request" -T fields -e http.host -e http.request.uri
# Extract DNS queries
tshark -r capture.pcap -Y "dns.flags.response == 0" -T fields -e dns.qry.name
# Extract TLS SNI (server names)
tshark -r capture.pcap -Y "tls.handshake.type == 1" -T fields -e tls.handshake.extensions_server_name
# Extract user agents
tshark -r capture.pcap -Y "http.user_agent" -T fields -e ip.src -e http.user_agent | sort -u
# JSON output for SIEM ingestion
tshark -r capture.pcap -T json
# PDML (full XML)
tshark -r capture.pcap -T pdmlStatistics & Analysis
Bash
# Top talkers (IP conversations)
tshark -r capture.pcap -q -z conv,ip
# Protocol hierarchy
tshark -r capture.pcap -q -z io,phs
# HTTP request stats
tshark -r capture.pcap -q -z http,tree
# DNS query stats
tshark -r capture.pcap -q -z dns,tree
# Endpoint stats
tshark -r capture.pcap -q -z endpoints,ip
# Follow TCP stream (stream index 0)
tshark -r capture.pcap -q -z follow,tcp,ascii,0
# Export HTTP objects
tshark -r capture.pcap --export-objects http,/output/dir/Wireshark GUI — Key Features for Analysts
Statistics Menu
| Feature | Use Case |
|---|---|
| Statistics > Protocol Hierarchy | Overview of protocols in capture |
| Statistics > Conversations | Top talkers, longest sessions |
| Statistics > Endpoints | All IPs/MACs seen |
| Statistics > IO Graphs | Visualize traffic spikes |
| Statistics > HTTP > Requests | All HTTP URIs |
| Statistics > DNS | All DNS queries/responses |
| Statistics > Flow Graph | Visual TCP timeline |
Analyze Menu
| Feature | Use Case |
|---|---|
| Follow > TCP Stream | Reconstruct full session |
| Follow > HTTP Stream | Decoded HTTP conversation |
| Follow > TLS Stream | TLS session (if key available) |
| Analyze > Expert Information | Errors, warnings, retransmissions |
| Analyze > Display Filter Macros | Save complex filters |
File Menu
| Feature | Use Case |
|---|---|
| File > Export Objects > HTTP | Extract files from HTTP streams |
| File > Export Objects > SMB | Extract files from SMB streams |
| File > Export Objects > DICOM/IMF | Protocol-specific exports |
| File > Export Specified Packets | Save filtered subset |
Color Rules (Default)
| Color | Meaning |
|---|---|
| Black (red text) | TCP errors, checksum errors |
| Light red | TCP RST |
| Yellow | ARP / routing issues |
| Light blue | UDP |
| Green | HTTP |
| Light gray | TCP |
| Dark blue | DNS |
| Purple | ICMP |
Custom color rules: View > Coloring Rules
Capture Filters (BPF Syntax)
Applied at capture time — more efficient than display filters
Plain Text
# By host
host 192.168.1.1
src host 192.168.1.1
dst host 192.168.1.1
# By network
net 192.168.1.0/24
src net 10.0.0.0/8
# By port
port 443
src port 80
dst port 4444
portrange 1-1024
# By protocol
tcp
udp
icmp
arp
not arp # Exclude ARP
# Combinations
host 192.168.1.1 and port 80
tcp and dst port 443
not port 22 and not arp
# Capture malware-related ports
port 4444 or port 1337 or port 8443SSL/TLS Decryption
Using Private Key (RSA, pre-TLS 1.3)
- Edit > Preferences > Protocols > TLS
- Add RSA key: IP, Port, Protocol, Key file path
Using Pre-Master Secret Log (All TLS versions)
Bash
# Set environment variable before browser launch
export SSLKEYLOGFILE=/tmp/ssl_keys.log
chromium &
# OR for Firefox
export SSLKEYLOGFILE=/tmp/ssl_keys.log
firefox &Then in Wireshark: Edit > Preferences > Protocols > TLS > (Pre)-Master-Secret log filename
Decrypting in TShark
Bash
tshark -r capture.pcap -o "tls.keylog_file:/tmp/ssl_keys.log" -Y "http"IOC Hunting Cheatsheet
Suspicious IP Indicators
Plain Text
# Tor exit nodes (update IP list regularly)
ip.addr == TOR_EXIT_NODE
# Known C2 infrastructure
ip.addr == MALICIOUS_IP
# Private IP communicating with private IP (unexpected)
ip.src == 192.168.0.0/16 && ip.dst == 10.0.0.0/8
# Loopback anomalies
ip.dst == 127.0.0.1 && !ip.src == 127.0.0.1Suspicious Domain Indicators
Plain Text
# Long random subdomains (DGA/DNS tunneling)
dns.qry.name matches "[a-z0-9]{20,}\."
# Recently registered TLDs commonly abused
dns.qry.name contains ".xyz"
dns.qry.name contains ".top"
dns.qry.name contains ".tk"
dns.qry.name contains ".pw"
# Lookalike domains
dns.qry.name contains "g00gle"
dns.qry.name contains "rn1crosoft"Suspicious User Agents
Plain Text
http.user_agent contains "python-requests"
http.user_agent contains "curl"
http.user_agent contains "Wget"
http.user_agent contains "Go-http-client"
http.user_agent contains "winhttp"
http.user_agent contains "PowerShell"
http.user_agent == ""Wireshark Keyboard Shortcuts
| Shortcut | Action |
|---|---|
Ctrl+F | Find packet |
Ctrl+G | Go to packet number |
Ctrl+D | Display filter apply |
Ctrl+E | Open capture options |
Ctrl+K | Start capture |
Ctrl+Shift+K | Stop capture |
Ctrl+Alt+K | Restart capture |
Ctrl+R | Reload file |
Ctrl+Shift+X | Close file |
Ctrl+Z | Undo |
Ctrl+A | Select all |
Alt+← | Previous packet in selection |
Alt+→ | Next packet in selection |
Spacebar | Toggle packet detail |
Shift+Ctrl+U | Follow UDP stream |
Shift+Ctrl+T | Follow TCP stream |
Ctrl+Shift+H | Follow HTTP stream |
F5 | Refresh statistics |
Wireshark Profiles for SOC/DFIR
Recommended Setup
- Create a dedicated SOC profile: Edit > Configuration Profiles > New
- Add custom color rules for threat categories
- Create filter macros for repeated searches
- Set columns: Time (epoch), Source, Destination, Protocol, Length, Info, Delta Time
Useful Custom Columns
frame.time_delta— Time between packets (beaconing analysis)ip.ttl— TTL (OS fingerprinting, TTL anomalies)tcp.analysis.initial_rtt— Round-trip timehttp.host— HTTP Host headerdns.qry.name— DNS query nametls.handshake.extensions_server_name— TLS SNI
Common Attack Patterns Summary
| Attack | Key Filter | Indicators |
|---|---|---|
| Port Scan | tcp.flags.syn==1 && tcp.flags.ack==0 | Many SYNs, RSTs, no data |
| DNS Tunneling | dns.resp.len > 512 | Long queries, TXT records, high volume |
| Beaconing | ip.dst == C2_IP | Regular intervals, consistent size |
| Pass-the-Hash | ntlmssp | NTLM auth over SMB |
| Kerberoasting | kerberos.msg_type == 12 | TGS-REP tickets |
| Lateral Movement | smb2 && tcp.dstport == 445 | SMB to internal hosts |
| Data Exfil | http.request.method == "POST" | Large POST, unusual UA |
| ICMP Tunnel | icmp.type == 8 && data.len > 64 | Large ping payloads |
| RDP Brute Force | tcp.dstport == 3389 && tcp.flags.syn==1 | Many SYNs to port 3389 |
| EternalBlue | tcp.dstport == 445 | SMB negotiate then exploit |
Quick Reference: Known Malicious Ports
| Port | Protocol | Known Abuse |
|---|---|---|
| 4444 | TCP | Metasploit Meterpreter |
| 1337 | TCP | Various backdoors |
| 31337 | TCP | Back Orifice |
| 8080 | TCP | C2 over HTTP-alt |
| 8443 | TCP | C2 over HTTPS-alt |
| 443 | TCP | HTTPS C2 (legitimate cover) |
| 53 | UDP/TCP | DNS tunneling |
| 3389 | TCP | RDP brute force |
| 5985/5986 | TCP | WinRM remote execution |
| 135/139/445 | TCP | SMB lateral movement |
| 50050 | TCP | Cobalt Strike Team Server |
| 2222 | TCP | SSH non-standard |
| 6667 | TCP | IRC-based botnet C2 |
Wireshark version: 4.x | TShark included | Last reviewed: 2025