zaro

How do I show only TCP data in Wireshark?

Published in Wireshark Filters 2 mins read

To display only TCP data in Wireshark, type tcp into Wireshark's display filter toolbar. This will filter the displayed packets to show only those using the TCP protocol.

Using Display Filters in Wireshark

Wireshark's display filters are a powerful way to narrow down the packets shown in the main window. They allow you to focus on specific types of traffic or traffic matching particular criteria.

Here's a breakdown of how to use them:

  • Entering the Filter: The display filter toolbar is located near the top of the Wireshark window. Simply click in the toolbar and type your filter expression.
  • Applying the Filter: After typing your filter, press Enter or click the Apply button to activate it. Wireshark will then only show the packets that match your filter.

Examples of TCP Filtering

Here are some examples of how you can use display filters related to TCP:

  • Basic TCP Filter: tcp - Shows all TCP packets.
  • TCP Port Filter: tcp.port == 80 - Shows all TCP packets using port 80 (usually HTTP). You can replace 80 with any port number. tcp.srcport == 80 to filter by source port and tcp.dstport == 80 for destination port.
  • TCP Flags Filter: tcp.flags.syn == 1 - Shows only TCP SYN packets (used for initiating connections). Other useful flags are tcp.flags.ack for ACK packets, tcp.flags.fin for FIN packets, and tcp.flags.reset for RST packets.
  • Combining Filters: You can combine filters using logical operators. For example, tcp.port == 80 && ip.addr == 192.168.1.1 shows TCP packets on port 80 to or from the IP address 192.168.1.1.
  • Filtering by TCP stream: tcp.stream eq 0 Shows the first TCP stream. You can find the correct stream number by right clicking on a TCP packet and selecting "Follow" -> "TCP Stream".

Tips for Effective Filtering

  • Auto-Completion: Wireshark offers auto-completion for filter expressions. Start typing, and it will suggest possible options.
  • Color Coding: You can set up color coding rules in Wireshark to highlight packets that match certain filters, making them easier to spot. (View -> Coloring Rules)
  • Saving Filters: If you frequently use the same filters, save them for easy access. (Click the Bookmarks tab).
← Previous Article
How to check TCP connection in Wireshark?
Next Article →
What is TCP Listening Port?