HTDark | Underground Hacking Forum and Cybersecurity Community
  • Earn real money by being active: Hello Guest, earn real money by simply being active on the forum — post quality content, get reactions, and help the community. Once you reach the minimum credit amount, you’ll be able to withdraw your balance directly. Learn how it works.

Courses 🦈 Wireshark Filtering Pro Tips – Web, DNS & Email Traffic

dEEpEst

dEEpEst

☣☣ In The Depths ☣☣
Staff member
Administrator
Super Moderator
Hacker
Specter
Crawler
Shadow
Joined
Mar 29, 2018
Messages
13,861
Solutions
4
Reputation
27
Reaction score
45,549
Points
1,813
Credits
55,350
‎7 Years of Service‎
 
56%

🦈 Wireshark Filtering Pro Tips – Web, DNS & Email Traffic


🚀 Post Created for Hack Tools Dark Community


When analyzing traffic for web reconnaissance, malware analysis or intrusion investigation, knowing how to quickly isolate relevant traffic is critical. Below are smart, focused filters for common protocols, plus tips on combining them using Boolean logic — and how to actually apply them inside Wireshark.

1. How to Apply Filters in Wireshark

  1. Start capturing traffic from the desired interface (e.g., eth0, wlan0).
  2. Use the top Display Filter bar to paste any of the filters listed below.
  3. Press Enter to apply the filter.
  4. Use File > Export Specified Packets to save only filtered results as .pcap.

To reuse filters later, click on the small bookmark icon at the right of the filter bar to save your custom filters for quick access.

2. Web Traffic (HTTP & HTTPS)

  • HTTPS (Port 443): Focus on TLS handshakes to identify new secure sessions:
    Code: 
    tls.handshake.type == 1
  • HTTP (Port 80): Filter only HTTP requests:
    Code: 
    http.request
  • Combined Filter:
    Show both HTTP and HTTPS sessions:
    Code: 
    tls.handshake.type == 1 or http.request

3. DNS Lookups

  • Capture DNS queries (port 53):
    Code: 
    dns
  • Only A record requests:
    Code: 
    dns.qry.type == 1
  • Only DNS responses with IPs:
    Code: 
    dns.a
  • Combine DNS and HTTP(S):
    Code: 
    dns or tls.handshake.type == 1 or http.request

4. Email Traffic (SMTP requests)

  • Show SMTP commands sent by clients:
    Code: 
    smtp.req.command
  • Filter specific commands (e.g., EHLO, MAIL FROM):
    Code: 
    smtp.req.command == "MAIL"
  • Combine Email, Web and DNS:
    Code: 
    smtp.req.command or http.request or tls.handshake.type == 1 or dns

5. Bonus: Visualize the Attack Flow

  • Step 1 – Domain lookup:
    Code: 
    dns
  • Step 2 – Web connection (HTTP/S):
    Code: 
    http.request or tls.handshake.type == 1
  • Step 3 – Email delivery or phishing:
    Code: 
    smtp.req.command

Use “Follow TCP Stream” (right-click on a packet) to reconstruct conversations — this is extremely useful for analyzing full HTTP requests, SMTP payloads, or login attempts.

⚠️ Disclaimer
This content is for educational and authorized analysis only. Unauthorized use of packet capture tools can be illegal and unethical.

💬 Join the Discussion
Which filters do YOU use during recon or incident response? Share your custom filters and workflows with the Hack Tools Dark Community — let’s build the ultimate Wireshark cheat sheet together!
 
You must log in or register to reply here.
Back
Top