Notes, Tips & Tricks: WireShark

This is a notes page, extended with tips & tricks. This page is not really documentation, just stuff for me to remember. Sometimes things will get removed from these pages and turned into real documentation, sometimes not. You might find these notes to come in hand, maybe not. For me, it's just things I don't want to forget.

Trace in Linux

tcpdump -w /tmp/tracefile

You can end the trace using <ctrl> + c, after which you can open the file using wireshark.

Display Filters

  • Only IP-address
    • ip.addr ==
  • Everything except IP-address
    • !(ip.addr ==
  • Everything except DNS and NTP
    • !(udp.port == 53) and !(udp.port == 123)
