Wireshark cheat sheet

30 April 2023 3 minutes Author: Cyber Witcher

Commands, captures, filters and shortcuts

Wireshark is a free source program for analyzing network packets of Ethernet and other networks. Wireshark is an essential tool for network administrators to troubleshoot network problems, but few can unlock its full potential. Having all the commands and useful functions in one place will definitely increase your work productivity. Developers find it convenient to use to debug protocol implementations, and network security engineers use it to test for security issues. QA engineers use it to test network applications. In general, the tool can be very useful in many other cases. The fact is that Wireshark gets access to a separate program for collecting packets from the network through the network card of the computer on which it is located. This program is based on the pcap protocol, which is implemented in libpcap for Unix, Linux, and macOS, as well as WinPCap for Windows. The installer for Wireshark will also install the necessary pcap program.

Wireshark filters reduce the number of packets you see in the Wireshark data viewer. This feature allows you to access packages that are relevant to your research. There are two types of filters: capture filters and display filters. Applying a filter to the packet capture process reduces the amount of traffic that Wireshark reads. However, to really appreciate its power, you have to start using it. So, in order to make this use easy, we have compiled a powerful Wireshark cheat sheet. All information is provided in this article in an accessible and understandable format that can be absorbed very quickly and easily.

The cheat sheet covers:

  • Types of filters

  • Various subjects

  • Hot keys

  • Logical operators

  • Protocols – meaning

  • General filtering commands

  • Wireshark capture modes

  • Capture filter syntax

  • Display filter syntax

  • The main elements of the toolbar

  • Packet filtering (display filters)

  • Default columns in packet capture output

Wireshark cheat sheet

Categories and items included in the cheat sheet

Wireshark capture modes

Messy mode:

Sets an interface to capture all packets on the network segment to which it is associated.

Monitor mode:

Configures the wireless interface to capture all the traffic it can receive (Unix/Linux only)

Types of filters

Capture filter:

Filters packets during capture.

Display filter:

Hides packages from the capture screen

Capture filter syntax

Display filter syntax

Various subjects

Protocols – meaning

ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp and udp

Packet filtering (display filters)

Logical operators

Default columns in packet capture output

Hot keys

General filtering commands

The main elements of the toolbar


Use the same packet capture options as in the previous session.


Open the File Open dialog box to load the record for viewing.


Restart the active capture session.
It is very important.


Close the current capture file.


Stop the current active capture.

Save As

Save the current capture file.


Open the Capture Options dialog box.


Reload the current capture file.

Find Packet

Find a package by different criteria.

Go Back

Go back to package history.

Go Forward

Go forward in package history.

Go to Packet

Go to a specific package.

Go To First Packet

Go to the first package of the capture file.

Go To Last Packet

Go to the last batch of the capture file.

Auto Scroll in Live Capture

Automatic scrolling of the package list.

Normal Size

Return zoom level to 100%.

Zoom In

Increase increase the font size.

Zoom Out

Decrease decrease the font size.


Color the package list (or not.)

Resize Columns

Resize the columns so that the content fits the width.

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.