Wireshark Display Filters Cheat Sheet

ARP HTTP
arp.dst.hw_mac arp.proto.size http.accept http.proxy_authorization
arp.dst.proto_ipv4 arp.proto.type http.accept_encoding http.proxy_connect_host
arp.hw.size arp.src.hw_mac http.accept_language http.proxy_connect_port
arp.hw.type arp.src.proto_ipv4 http.authbasic http.referer
arp.opcode http.authorization http.request
http.cache_control http.request.method
BGP
http.connection http.request.uri
bgp.aggregator_as bgp.mp_reach_nlri_ipv4_prefix
http.content_encoding http.request.version
bgp.aggregator_origin bgp.mp_unreach_nlri_ipv4_prefix
http.content_length http.response
bgp.as_path bgp.multi_exit_disc
http.content_type http.response.code
bgp.cluster_identifier bgp.next_hop
http.cookie http.server
bgp.cluster_list bgp.nlri_prefix
http.date http.set_cookie
bgp.community_as bgp.origin
http.host http.transfer_encoding
bgp.community_value bgp.originator_id
http.last_modified http.user_agent
bgp.local_pref bgp.type
http.location http.www_authenticate
bgp.mp_nlri_tnl_id bgp.withdrawn_prefix
http.notification http.x_forwarded_for
DTP http.proxy_authenticate

dtp.data dtp.tlv_len dtp.senderid

dtp.domain dtp.tlv_type dtp.version
ICMP
Ethernet icmp.checksum icmp.mtu

eth.addr eth.len eth.src icmp.checksum_bad icmp.redir_gw

eth.dst eth.lg eth.trailer icmp.code icmp.seq
eth.ig eth.multicast eth.type icmp.ident icmp.type

Filter Operators
ICMPv6
eq or == gt or > ge or >=
icmpv6.all_comp icmpv6.option.name_type.fqdn
ne or != lt or < le or <=
icmpv6.checksum icmpv6.option.name_x501
Filter Logic icmpv6.checksum_bad icmpv6.option.rsa.key_hash
and or && Logical AND not or ! Logical NOT icmpv6.code icmpv6.option.type
or or || Logical OR [n] […] Substring operator icmpv6.comp icmpv6.ra.cur_hop_limit
xor or ^^ Logical XOR icmpv6.haad.ha_addrs icmpv6.ra.reachable_time
icmpv6.identifier icmpv6.ra.retrans_timer
Frame Relay
icmpv6.option icmpv6.ra.router_lifetime
fr.becn fr.de icmpv6.option.cga icmpv6.recursive_dns_serv
fr.chdlctype fr.dlci icmpv6.option.length icmpv6.type
fr.control fr.dlcore_control icmpv6.option.name_type
fr.control.f fr.ea
fr.control.ftype fr.fecn
IEEE 802.1Q
fr.control.n_r fr.lower_dlci
fr.control.n_s fr.nlpid vlan.cfi vlan.len

fr.control.p fr.second_dlci vlan.etype vlan.priority

fr.control.s_ftype fr.snap.oui vlan.id vlan.trailer

fr.control.u_modifier_cmd fr.snap.pid
fr.control.u_modifier_resp fr.snaptype
fr.cr fr.third_dlci
fr.dc fr.upper_dlci
NetworkProGuide.com
 IPv4 RIP
ip.addr ip.fragment.overlap.conflict rip.auth.passwd rip.ip rip.route_tag
ip.checksum ip.fragment.toolongfragment rip.auth.type rip.metric rip.routing_domain
ip.checksum_bad ip.fragments rip.command rip.netmask rip.version
ip.checksum_good ip.hdr_len rip.family rip.next_hop
ip.dsfield ip.host
TCP
ip.dsfield.ce ip.id
tcp.ack tcp.options.qs
ip.dsfield.dscp ip.len
tcp.checksum tcp.options.sack
ip.dsfield.ect ip.proto
tcp.checksum_bad tcp.options.sack_le
ip.dst ip.reassembled_in
tcp.checksum_good tcp.options.sack_perm
ip.dst_host ip.src
tcp.continuation_to tcp.options.sack_re
ip.flags ip.src_host
tcp.dstport tcp.options.time_stamp
ip.flags.df ip.tos
tcp.flags tcp.options.wscale
ip.flags.mf ip.tos.cost
tcp.flags.ack tcp.options.wscale_val
ip.flags.rb ip.tos.delay
tcp.flags.cwr tcp.pdu.last_frame
ip.frag_offset ip.tos.precedence
tcp.flags.ecn tcp.pdu.size
ip.fragment ip.tos.reliability
tcp.flags.fin tcp.pdu.time
ip.fragment.error ip.tos.throughput
tcp.flags.push tcp.port
ip.fragment.multipletails ip.ttl
tcp.flags.reset tcp.reassembled_in
ip.fragment.overlap ip.version
tcp.flags.syn tcp.segment
IPv6 tcp.flags.urg tcp.segment.error

ipv6.addr ipv6.hop_opt tcp.hdr_len tcp.segment.multipletails

ipv6.class ipv6.host tcp.len tcp.segment.overlap

ipv6.dst ipv6.mipv6_home_address tcp.nxtseq tcp.segment.overlap.conflict

ipv6.dst_host ipv6.mipv6_length tcp.options tcp.segment.toolongfragment

ipv6.dst_opt ipv6.mipv6_type tcp.options.cc tcp.segments

ipv6.flow ipv6.nxt tcp.options.ccecho tcp.seq

ipv6.fragment ipv6.opt.pad1 tcp.options.ccnew tcp.srcport

ipv6.fragment.error ipv6.opt.padn tcp.options.echo tcp.time_delta

ipv6.fragment.more ipv6.plen tcp.options.echo_reply tcp.time_relative

ipv6.fragment.multipletails ipv6.reassembled_in tcp.options.md5 tcp.urgent_pointer

ipv6.fragment.offset ipv6.routing_hdr tcp.options.mss tcp.window_size

ipv6.fragment.overlap ipv6.routing_hdr.addr tcp.options.mss_val

ipv6.fragment.overlap.conflict ipv6.routing_hdr.left UDP
ipv6.fragment.toolongfragment ipv6.routing_hdr.type udp.srcport
udp.checksum udp.dstport
ipv6.fragments ipv6.src
udp.checksum_bad udp.length
ipv6.fragment.id ipv6.src_host
udp.checksum_good udp.port
ipv6.hlim ipv6.version
VTP
MPLS vtp.code vtp.vlan_info.802_10_index
mpls.bottom mpls.oam.defect_location vtp.conf_rev_num vtp.vlan_info.isl_vlan_id
mpls.cw.control mpls.oam.defect_type vtp.followers vtp.vlan_info.len
mpls.cw.res mpls.oam.frequency vtp.md vtp.vlan_info.mtu_size
mpls.exp mpls.oam.function_type vtp.md5_digest vtp.vlan_info.status.vlan_susp
mpls.label mpls.oam.ttsi vtp.md_len vtp.vlan_info.tlv_len
mpls.oam.bip16 mpls.ttl vtp.seq_num vtp.vlan_info.tlv_type
vtp.start_value vtp.vlan_info.vlan_name
PPP
vtp.upd_id vtp.vlan_info.vlan_name_len
ppp.address ppp.direction vtp.upd_ts vtp.vlan_info.vlan_type
ppp.control ppp.protocol vtp.version