Wireshark & PCAP Analysis Cheat Sheet

Capture-time BPF filters vs post-capture display filters, essential filters for HTTP/DNS/TLS/TCP, credential and file extraction, and headless tshark/tcpdump/ngrep one-liners for authorized packet analysis. (32 payloads)

Try it interactively with the What Is This?

Capture vs Display Filters (BPF)

(5)

host 10.0.0.5

Capture filter (BPF syntax): record only traffic to/from a host. Capture filters use libpcap/BPF and run at capture time — packets not matching are dropped and never saved.Wireshark “Capture > Options > Capture filter” or tcpdump expression

port 80 or port 443

Capture filter: keep only HTTP/HTTPS traffic. Capture filters cut PCAP size on busy links but you cannot recover dropped packets later — capture broadly when scope allows.BPF; combine with and/or/not

net 192.168.1.0/24 and not arp

Capture filter: a subnet's traffic excluding ARP noise. Useful for reducing a long unattended capture to a target scope.BPF

http.request and ip.addr == 192.168.1.10

Display filter: shown AFTER capture, applied to the saved PCAP without discarding data. Display-filter syntax (field == value) differs entirely from BPF capture syntax.Wireshark display-filter bar (green = valid)

tcp.flags.syn == 1 and tcp.flags.ack == 0

Display filter: isolate connection-initiating SYN packets (spot port scans / new sessions). Bitfield comparisons are display-only.Wireshark display bar

Essential Display Filters

(6)

ip.addr == 10.0.0.5 && tcp.port == 443

Filter by host and port together. ip.addr matches src OR dst; use ip.src / ip.dst to pin direction.&& / and are interchangeable

http.request.method == "POST"

Show only HTTP POST requests — fast path to login forms and submitted data.also http.response.code == 500 for errors

dns.qry.name contains "example.com"

Find DNS queries for a domain; great for spotting C2 / exfil / DNS tunneling lookups.dns.flags.response == 0 for queries only

tls.handshake.type == 1

Show TLS ClientHello packets to enumerate server names via SNI and offered cipher suites.tls.handshake.extensions_server_name for the SNI value

tcp.stream eq 3

Display every packet in TCP stream #3. Right-click a packet > Follow > TCP Stream to set this automatically and read the reassembled conversation.Follow stream reconstructs both directions

tcp.analysis.retransmission || tcp.analysis.zero_window

Surface TCP retransmissions and zero-window events — quick triage for packet loss and stalled transfers.Wireshark expert analysis fields

Credential & Data Extraction

(6)

http.authorization

Show requests carrying an Authorization header. Decode Basic creds: the value after “Basic ” is base64(user:pass).echo dXNlcjpwYXNz | base64 -d

ftp.request.command == "USER" || ftp.request.command == "PASS"

Extract cleartext FTP usernames and passwords — the control channel (port 21) is unencrypted.ftp-data carries transferred files

telnet

Telnet is fully cleartext; Follow TCP Stream reveals the login prompt, typed credentials, and the full session.port 23

http.request and (http.request.uri contains "login" or http.request.uri contains "pass")

Locate authentication endpoints; combine with POST filter to read submitted form fields in the body.plaintext HTTP only

frame contains "password"

Raw byte-string search across all packets for a keyword — catches creds in any unencrypted protocol Wireshark didn't dissect.case-sensitive; use matches for regex

http.request.method == "POST" and http.content_type contains "urlencoded"

Filter form POSTs so the request body (username=...&password=...) is visible in the bottom pane / Follow HTTP Stream.plaintext HTTP

File & Object Extraction

(5)

File > Export Objects > HTTP

GUI extractor: lists every file reassembled from HTTP and saves them to disk (images, JS, downloaded binaries, exfil).also available for SMB, FTP-DATA, TFTP, IMF, DICOM

http.response and http.content_type contains "application/octet-stream"

Hunt downloaded binaries / executables in HTTP responses before extracting them as objects.pair with Export Objects

tshark -r capture.pcap --export-objects http,./out/

CLI equivalent of Export Objects: dump all HTTP-transferred files into ./out/ non-interactively.smb / tftp / imf also supported

foremost -i capture.pcap -o carved/

Carve files from a PCAP by header/footer signatures when protocol reassembly fails or data is fragmented.binwalk -e also works for embedded files

tshark -r capture.pcap -Y "data-text-lines" -T fields -e data.text

Pull reassembled text-line payloads (e.g., for scraping cleartext content) straight to stdout.adjust field to the dissected layer

tshark CLI One-Liners

(5)

tshark -r capture.pcap -Y "http.request" -T fields -e ip.src -e http.host -e http.request.uri

Print source IP, host, and URI for every HTTP request — a compact request log from a PCAP.-Y = display filter, -T fields -e = columns

tshark -r capture.pcap -q -z conv,tcp

Conversation statistics: every TCP talker pair ranked by bytes/packets — fast way to find the heaviest or oddest flows.-z io,phs for a protocol hierarchy

tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.name | sort -u

Extract a unique list of all DNS names queried — quick domain/IOC inventory.pipe to grep for filtering

tshark -i en0 -f "tcp port 80" -Y "http.request" -T fields -e http.host

Live capture on an interface with a BPF capture filter (-f) plus a display filter (-Y) to stream hostnames in real time.-i for interface; needs capture privileges

tshark -r capture.pcap -z follow,tcp,ascii,5

Dump the ASCII follow-stream of TCP stream index 5 to the terminal (read sessions without the GUI).use ,raw, for hex/binary

tcpdump & ngrep

(5)

tcpdump -i eth0 -w capture.pcap -s 0 'tcp port 80'

Capture full packets (-s 0) to a PCAP file with a BPF filter — the standard headless capture for later Wireshark analysis.-s 0 = no snaplen truncation

tcpdump -nn -r capture.pcap -A 'tcp port 80'

Read a PCAP and print payloads as ASCII (-A) with numeric addresses/ports (-nn) — quick cleartext HTTP inspection without a GUI.-X for hex+ASCII

tcpdump -i eth0 -G 3600 -w 'cap-%Y%m%d-%H%M%S.pcap'

Ring/rotate captures every 3600s into timestamped files for long unattended engagements without one giant file.-C rotates by size in MB

ngrep -q -W byline -d eth0 'POST|pass' 'tcp port 80'

grep packet payloads live: match POSTs or 'pass' on HTTP, printed line-by-line — fast cleartext credential hunting.-I reads / -O writes a pcap

ngrep -q -I capture.pcap 'USER|PASS' 'tcp port 21'

Run a regex over a saved PCAP (-I) to pull FTP USER/PASS lines without opening Wireshark.works on any saved pcap

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Tools

What Is This?

Related Cheat Sheets

Post-Exploitation Cheat Sheet Nmap Scanning Cheatsheet

Frequently asked questions

What is the Wireshark & PCAP Analysis Cheat Sheet?+

It's a quick-reference collection of 32 Wireshark payloads for testing Wireshark & PCAP Analysis vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.

How do I use these Wireshark payloads?+

Copy any payload straight into your authorized test, or use the What Is This? to apply them interactively. Only test systems you have explicit permission to assess.

Are these Wireshark payloads free to use?+

Yes — this cheat sheet and all Wireshark payloads are completely free, with no account required. Everything runs in your browser.

$loading...