Wireshark is a popular network sniffing and analysis tool. It simply captures the network traffic for different protocols and provides it in a readable way to the user. As an advanced tool, it provides the ability to filter network traffic or packets according to the port or port number.
Popular TCP and UDP Port and Port Numbers
Port numbers are used for TCP and UDP protocols. TCP and UDP are the most popular protocols used for transmission and most network-related applications like websites, web applications, services, etc. use TCP and UDP. Below we will list popular TCP and UDP protocols and their port numbers.
Filter Port From Filter Bar
Wireshark GUI provides the filter Bar in order to apply a display filter. This bar is used to filter currently captures packets and network traffic according to the provided filters. This filter bar provides help with IntelliSense by listing available filters. The provided filter can be applied to the package list with the array button on the left side of the filter bar like below.
tcp.port == 80
Filter According to TCP or UDP Port Number
As the tcp.port == 80 is used to filter port number 80 the == can be changed with the eq which is the short form of the equal.
tcp.port eq 80IANA assigns port numbers for different protocols HTTP is used for 80, HTTPS is used for 443, etc. Wireshark also supports the protocol names in order to specify the port number where the protocol standardized the port number.
tcp.port eq 80Also, like the TCP protocol, the UDP protocols and port numbers can be filtered with the following filter.
udp.port == 53
Filter Multiple Ports
Wireshark also supports multi-port filtering where multiple ports can be specified to math with an OR logic. The || signs are used to add multiple filter port where packages will be listed where one of the port number match. In the following example, we will match both HTTP and HTTPS ports or 80 and 443 ports.
tcp.port == 80 || tcp.port == 443or another alternative for the same filter
tcp.port eq 80 || tcp.port eq 443Filter According to The Source Port or Destination Port
A TCP or UDP packet contains the source port and destination port numbers. By default the tcp.port or udp.port expressions filter both the source port and destination ports unless they are not expressed explicitly. Previously explained port filters filter both source and destination ports. But we can specify the source or destination port number for filter explicitly by using the srcport or dstport according to the port term.
tcp.dstport == 80tcp.srcport == 80Filter According To IP Address
Another important filter option is filtering according to the IP address.
ip.adr == 192.168.1.10The ip.src can be used to filter according to the source IP address.
ip.src==192.168.1.10The ip.dst is used to filter according to the destination IP address.
ip.dst==192.168.1.10Filter According To Protocol
The Wireshark can parse and display packets a lot of different protocols like smb , http , https , dns dhcp etc. These protocol numbers can be used to filter traffic and show only specified protocols. In the following example, we only display the DNS traffic.
dhcpSometimes multiple protocols may work together for an application. Wireshark can filter according to multiple protocol names by using the || operator.
dhcp || dns || httpFilter According To MAC (Ethernet) Address
Another important address used in a network is the MAC or Ethernet address. The Wireshark can e used to filter according to the MAC (Ethernet) address.
eth.addr==00:06:5B:BB:CC:DDAlternatively, we can only filter some parts of the MAC address by providing the address index range. In the following example, we filter according to the MAC address first 6 characters.
eth.addr[0:3]==AA:06:5BFilter According To URL or URI For HTTP/HTTPS Protocol
Another useful filter for Wireshark is the ability to filter the HTTP or HTTPS traffic according to its URL or URI. The matches the statement is used to match the given term.
http.request.uri matches "wisetut"