Palo Alto Networks Knowledgebase: Helpful wireshark filters for large packet captures

Helpful wireshark filters for large packet captures

7270
Created On 02/07/19 23:47 PM - Last Updated 02/07/19 23:47 PM
Resolution

These wireshark filters can help you with large packet captures.

 

TCP filters 

tcp.flags.syn == 1                                           >>> For displaying packets with SYN flag

tcp.flags.ack == 1                                           >>> For displaying packets with ACK flag

(tcp.flags.syn == 1) && (tcp.flags.ack == 1)   >>> For displaying packets with SYN and ACK flags

tcp.flags.fin == 1                                             >>> For displaying packets with FIN flag

 

ssl.handshake.type == 1                          >>> Client hello

ssl.handshake.type == 2                          >>> Server hello

ssl.handshake.type == 11                        >>> Certificate

 

Filters based on ip-addresses 

ip.addr == x.x.x.x                                         >>> packets with addess x.x.x.x

(ip.src== x.x.x.x) && (ip.dst == y.y.y.y)       >>> packets with source address x.x.x.x and destination address y.y.y.y

 

 

Other filters:

icmp
ssl
tcp

udp
ssl.handshake



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CltCCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language