Skip to content

Instantly share code, notes, and snippets.

@dinh

dinh/wireshark filters network forensics

Forked from githubfoam/wireshark filters network forensics
Created June 17, 2021 15:25
Show Gist options
  • Save dinh/198c45e4a519ca63f65afa73aa53f045 to your computer and use it in GitHub Desktop.
Save dinh/198c45e4a519ca63f65afa73aa53f045 to your computer and use it in GitHub Desktop.
Download ZIP
wireshark filters
Raw
wireshark filters network forensics
DNS Zone Transfer request
(tcp.dstport == 53) && (dns.flags.response == 0) && (dns.qry.type == 0x00fc)
DNS Zone Transfer response
(tcp.srcport == 53) && (dns.flags.response == 1) && (dns.qry.type == 0x00fc)
DNS pointer(PTR) query/response
dns.qry.type == 12
udp.port == 53
Ping sweep
icmp.type == 8 || icmp.type == 0
ICMP Type 8 = ECHO Request
ICMP Type 0 = ECHO Reply
icmp || icmpv6
Wireshark Filter Destination Port
tcp.dstport == 25
tcp.port in {443 4430..4434}
connection refusal ACK scan
tcp.flags.reset == 1 && tcp.flags.ack == 1 && tcp.seq == 1 && tcp.ack == 1
Wireshark Filter HTTP POST
http.request.method == GET
Wireshark Filter by IP
ip.addr == 10.43.54.65
Wireshark Filter by Destination IP
ip.dst == 10.43.54.65
Wireshark Filter by Source IP
ip.src == 10.43.54.65
Wireshark Filter IP Range
ip.addr >= 10.80.211.140 and ip.addr <= 10.80.211.142
Wireshark Filter SYN
tcp.flags.syn == 1
tcp.flags.syn == 1 && tcp.flags.ack == 0
SYN/ACK packets(bitwise filter)
tcp.flags & 0x12
tcp.flags.syn == 1 && tcp.flags.ack == 0 && tcp.ack == 0
TLS handshake
tls.record.content_type == 22
only TLS traffice
tls
client Hello
tls.handshake.type == 1
server Hello
tls.handshake.type == 2
connection close
tls.record.content_type == 21
tls.handshake.extensions_server_name contains "badsite"
frame contains "tls"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment