Wireshark is a very famous packet analysing and capturing tool. It converts the packets in a human readable form which is quite easy to understand. There are lot of filters which can simplify the process of capturing and analysing traffic in a better way.
Some of the most common ones are following,
ip.addr
ip.addr filter shows all the traffic which is being sent and received by different IP-addresses. We can also write ip.addr == 192.168.25.101 then it will only show us the traffic which is either sent or received by this IP-address.
ip.src
ip.src is used to only get the traffic which has some particular IP-address as a source. So, if we type ip.src == 192.168.25.101 then it will show us only the traffic which has 192.168.25.101 as source IP-address.
ip.dst
ip.dst is used to only get the traffic which has some particular IP-address as a destination. So, if we type ip.dst == 192.168.25.101 then it will show us only the traffic which has 192.168.25.101 as a destination IP-address.
tcp
tcp filter is used to display all the tcp traffic which is captured from the network.
icmp
icmp filter is used to check the reachability of the of a host or router in a network.
frame contains traffic
This filter will display all packets that contain the word “traffic.” It is useful when looking for some specific words.
http.request
This filter will find and display all HTTT GET requests.
arp
arp filter is a linked layer protocol and is generally used to find the MAC addresses.
dns
dns filter is used to show the dns frames. Every device connected to the internet has a unique IP-address. DNS is a system which stores information about the domains like IP-addresses, mail servers and other information. It solves the major problem of memorizing different IP-addresses for humans.
