Wireshark cheat sheet (quick reference)

1) Capture filters (BPF) — applied when starting capture
Use these in the Capture → Options (or dumpcap / tshark -f).

Capture traffic to/from a host
host 192.168.1.10
Only source host
src host 10.0.0.5
Only destination host
dst host 10.0.0.5
Network (subnet)
net 192.168.0.0/24
Specific port (TCP or UDP)
port 80

TCP only on a port
tcp port 443

UDP only (e.g., DNS)
udp and port 53

Port range
portrange 1000-2000

Ether address filter
ether host 00:11:22:33:44:55

Combine filters
tcp and host 10.0.0.5 and port 80

2) Display filters (Wireshark GUI / -Y in tshark)
Powerful, protocol-aware filtering after capture.
Basic IP/TCP/UDP
ip.addr == 192.168.1.10 — any IP field matches
ip.src == 192.168.1.10
ip.dst == 8.8.8.8
tcp.port == 80 — matches src or dst port
tcp.srcport == 443
udp.port == 53
HTTP / DNS / TLS examples
http — show HTTP packets
http.request.method == "GET"
http.host == "example.com"
dns.qry.name == "example.com"
tls or ssl — show TLS/SSL (depends on version of Wireshark)
tls.handshake.type == 1 — ClientHello exists
frame contains "password" — payload contains text
Flags / conditions
tcp.flags.syn == 1 && tcp.flags.ack == 0 — SYN packets (connection start)
tcp.flags.reset == 1 — RST
tcp.analysis.retransmission — retransmitted packets
ip.len > 1500 — packets bigger than MTU
Text / regex
http.user_agent contains "Firefox"
http.host matches ".*google.*" — regex match
Existence checks
http.request — packets that are HTTP requests (exists)
ssl.handshake — packets where handshake exists

3) Useful GUI actions (shortcuts & tips)
Apply display filter: type in the filter bar and press Enter.
Clear display filter: Ctrl+Shift+C (or click X).
Start/Stop capture: green/red toolbar buttons.
Follow TCP stream: right-click a TCP packet → Follow → TCP Stream.
Export objects (HTTP): File → Export Objects → HTTP (grab files transferred).

Statistics → Endpoints / Conversations / Protocol Hierarchy → use for summaries.

Coloring rules: View → Coloring Rules to add visual filters.

4) Command line: tshark, dumpcap, editcap, mergecap
dumpcap — capture to file (recommended for long captures)
Capture on eth0, write to capture.pcap:
dumpcap -i eth0 -w capture.pcap


Ring buffer (split files by size):
dumpcap -i eth0 -b filesize:10240 -b files:10 -w capture.pcap
(filesize in KB; this rotates and keeps files number of files)
tshark — CLI packet analyzer (like tcpdump + Wireshark)
Capture live and write pcap:

tshark -i eth0 -w capture.pcap -f "port 80"


Read pcap and show summary:

tshark -r capture.pcap -q -z io,stat,0,COUNT,ip.src==192.168.1.10
Export selected fields (CSV-like):
tshark -r capture.pcap -Y "http" -T fields -e frame.number -e ip.src -e ip.dst -e http.request.method -E header=y -E separator=, > http_requests.csv

Follow TCP stream (ASCII) from capture (stream index 0):
tshark -r capture.pcap -q -z "follow,tcp,ascii,0"


(Change last number for the stream index shown in GUI follow list.)
editcap — split/convert pcap files
Split into files with 100000 packets each:
editcap -c 100000 input.pcap out_split.pcap


Convert pcapng → pcap:
editcap -F pcap input.pcapng output.pcap
mergecap — merge capture files

Merge files:
mergecap -w merged.pcap part1.pcap part2.pcap

5) Decrypting TLS / SSL (basic notes)
For older SSL/TLS with RSA key exchange, you can supply the server private key in Preferences → Protocols → TLS → RSA keys list (format: ip,port,protocol,keysfile).
For modern TLS (ECDHE/TLS1.3) use (Pre)-Master-Secret logging from the client (e.g., set SSLKEYLOGFILE in Firefox/Chrome) and configure Wireshark to use that file under TLS → (Pre)- Master-Secret log filename.

Note: Not all captures can be decrypted (depends on cipher suites and available keys).

6) Quick common filters & what they show
http — all HTTP traffic
tcp.port == 22 — SSH packets
ssh — SSH protocol (if detected)
dns — show DNS queries/responses
icmp — ping / ICMP traffic
arp — local ARP requests/replies
ip.addr == 10.0.0.5 && tcp.port == 80 — traffic to/from that IP on HTTP
frame.time >= "2025-09-12 14:00:00" — show packets after timestamp (use exact format Wireshark shows)

7) Troubleshooting tips / best practices
Use capture filters to limit data collection (less noise). Use display filters to slice details afterward.
When troubleshooting slowness: check tcp.analysis.retransmission, tcp.analysis.duplicate_ack, tcp.analysis.zero_window.
Use Protocol Hierarchy and Conversations for a quick overview of top talkers.
Keep timezone / clock sync in mind: mismatched clocks between devices make timelines confusing.

Save your display filters and coloring rules as a profile (Edit → Configuration Profiles).

8) Handy examples (copy/paste)

Capture only HTTPS traffic (port 443) and write ring buffer:
dumpcap -i eth0 -b filesize:10240 -b files:12 -f "tcp port 443" -w https_capture.pcap


Extract CSV of HTTP requests from a capture:
tshark -r capture.pcap -Y "http.request" -T fields -e frame.number -e frame.time -e ip.src -e ip.dst -e http.request.method -e http.request.uri -E header=y -E separator=, > http_requests.csv


Show only DNS queries for example.com:
GUI display filter:
dns.qry.name == "example.com"


Find SYN floods (lots of SYN without ACKs):

tcp.flags.syn == 1 && tcp.flags.ack == 0

View TCP stream #3 as ASCII in CLI:
tshark -r capture.pcap -q -z "follow,tcp,ascii,3"

Wireshark Tutorial for Beginners | Network Scanning Made Easy

Does Religion and Beliefs really matters?

🕌✝️ Mula sa Konsepto ng Jihad at Crusade Hanggang Silangan

Sa loob ng halos 800 taon, naglaban ang mga Muslim at Kristiyano sa Iberian Peninsula. Ito ang tinatawag na Reconquista — isang serye ng digmaan na nagsimula bilang bahagi ng mas malawak na tunggalian ng Jihad vs. Crusade.

Noong 1492, tuluyang bumagsak ang Granada, ang huling Muslim na kaharian sa Spain. Sa wakas, naibalik sa mga Katoliko ang buong lupain. Ngunit para sa Espanya, hindi lang ito pagtatapos ng digmaan — kundi simula ng isang mas malawak na misyon: ipagpatuloy ang krusada, hindi na lamang sa Europa kundi hanggang sa dulo ng mundo.

Dito pumasok ang estratehiya ng Spain: kung nais nilang tapusin ang pamana ng Islam at palawakin ang kanilang kapangyarihan, kailangan nilang abutin ang pinakadulong bahagi ng Asya. At sa kanilang pananaw, ang huling buntot o “tail end of Asia” ay walang iba kundi ang kapuluang tatawaging Pilipinas.

Ang Panahon ng Pagtuklas at Pananakop

Noong ika-15 siglo, nagbago ang mundo. Ang Europa, na puno ng pangarap at gutom sa kapangyarihan, ay nagsimulang maglayag palayo sa kanilang kontinente. Mga hari ang naghahanap ng yaman, mga mangangalakal ang nangangarap ng spices, at mga pari ang nagdadala ng krus para palawakin ang pananampalataya.

Noong 1498, si Vasco da Gama ng Portugal ay nakarating sa India matapos dumaan sa Cape of Good Hope. Dito nagsimulang masira ang monopoly ng mga Muslim at Venetian sa spice trade. Sumunod, noong 1511, nasakop ni Afonso de Albuquerque ang Malacca — binuksan ang pintuan ng Asya sa mga kanyon ng Europa.

Pero hindi nagpalate ang Espanya. Katatapos lang nila ng Reconquista, kaya nang naglayag si Ferdinand Magellan noong 1519 para sa Spain, dala niya hindi lamang ang hangarin sa yaman kundi rin ang krus ng Kristiyanismo.

Noong 1521, dumating siya sa Visayas. Itinayo ang krus, tanda ng pagdating ng bagong pananampalataya. Ngunit sa Mactan, sinalubong siya ni Lapu-Lapu, patunay na hindi madaling sakupin ang kapuluan.

Ang Pagtatag ng Imperyo

Hindi natapos doon. Noong 1565, dumating si Miguel López de Legazpi, hindi bilang bisita kundi bilang conquistador. Itinatag niya ang base sa Cebu, at noong 1571, sinalakay niya ang Maynila na pinamumunuan ni Rajah Sulayman. Sumabog ang mga kanyon, nagtagpo ang espada ng Europa at sandata ng mga Moro. Natalo ang Maynila, at mula roon itinayo muli bilang kabiserang lungsod ng Spain sa Asya.

Para sa Espanya, higit pa sa kalakalan ang laban. Ang kanilang pakikidigma kontra Islam sa Iberia ay ipinagpatuloy sa Asya. Ang Pilipinas ang naging bagong frontier ng kanilang pananampalataya.

Ang Konteksto ng Asya

Habang abala ang Spain sa pagtatatag ng kolonya, ano naman ang ginagawa ng ibang kapangyarihan sa Asya?

China (Ming Dynasty) – nakatutok sa depensa laban sa Mongol at mga pirata, hindi sa Islam. Ang interes nila ay kalakalan ng pilak, seda, at porselana.

Japan (Sengoku → Tokugawa) – nahati sa mga digmaan ng daimyo, nakatuon sa pagpapalawak sa Korea. Ang relihiyon ay Shinto at Buddhism, may maliit na Kristiyanong komunidad mula sa mga misyonero.

Korea (Joseon Dynasty) – nakikipaglaban sa Hapon gamit ang mga turtle ships ni Admiral Yi Sun-sin, at umaasa sa tulong ng Ming.

Vietnam (Đại Việt) – nakikipagdigma at lumalawak sa timog, gumagamit ng guerilla tactics.

Pilipinas (Pre-colonial) – nahahati sa mga barangay, sultanato, at datu-ships. Ang mga Moro ay may kris, kampilan, sibat, lantaka cannons, at karakoa warships — mabilis at angkop sa coastal raids, ngunit kulang para tapatan ang mga galleons ng Spain.

Ang Hukbo ng Espanya

Hindi homogenous ang pwersa ng Spain:

Peninsulares – Kastila na mula mismo sa Spain, bihasa sa European military tactics.

Criollos – Kastila na ipinanganak sa colonies, mas pamilyar sa lokal na kalagayan.

African auxiliaries – mga freedmen at alipin mula Africa na tumulong sa depensa at garrisons.

Mercenaries – mula Portugal, Italy, Germany.

Local allies – mga Pilipinong sumama sa Spain laban sa ibang datu o sultanato.

Sa kombinasyong ito, gamit ang muskets, rapiers, pikes, steel armor, at galleons na may broadside cannons, nakapangibabaw sila.

⚔️ Ang Balance of Power

Mula 1450–1600, ito ang naging kalagayan:

Spain – advanced sa firearms, steel, naval power, at diverse manpower.

Japan – disiplinado, militarized, ngunit hati sa loob.

China – malakas pero nakatutok sa depensa, hindi expansion.

Korea – nakaligtas dahil sa Ming support.

Vietnam – lumakas regionaly pero limitado ang navy.

Pilipinas – may lokal na puwersa ngunit nahati at vulnerable.

Kaya nagtagumpay ang Spain na magtatag ng foothold sa Asya — isang bagay na hindi nagawa ng Japan o China sa panahong iyon.

🌏 Pagsilang ng Pilipinas

Sa huli, mula sa mga paglalayag, digmaan, at pananampalataya, isinilang ang isang bagong identidad:

Asian sa dugo at kultura.

European sa pananampalataya at pamamahala.

Isang bansang nakapagitna sa mga dagat, at nag-iisa sa Asya bilang Kristiyano.

Ang Pilipinas ay hindi basta aksidente ng kasaysayan, kundi bunga ng pagsasanib ng mga lokal na pamayanan, ng global na ambisyon ng Espanya, at ng dinamika ng buong Asya.

🦈 Wireshark Installation Tutorial

🔹 1. Install on Windows

Go to the official download page:
👉 https://www.wireshark.org/download.html

Click Windows Installer (64-bit).

Run the downloaded installer (Wireshark-win64-x.x.x.exe).

During installation:

✅ Select Install WinPcap/Npcap (needed for packet capturing).

Leave defaults unless you know what to change.

Finish installation and restart your computer if asked.

Open Wireshark → Select your active network interface (e.g., Wi-Fi).

🔹 2. Install on macOS

Visit the same download page:
👉 https://www.wireshark.org/download.html

Download the macOS .dmg installer.

Open the .dmg file and drag Wireshark into Applications.

Install ChmodBPF package (it comes with Wireshark):

This allows non-admin users to capture packets.

Launch Wireshark → Select Wi-Fi or Ethernet interface.

📌 Note: On newer macOS, you may need to allow System Extensions in System Preferences → Security & Privacy.

🔹 3. Install on Linux Mint (Ubuntu-based)
Option A: Install directly on Mint

Open Terminal.

Update package list:

sudo apt update


Install Wireshark:

sudo apt install wireshark -y


Allow your user to capture packets without root:

sudo usermod -aG wireshark $USER


Log out and log back in.

Start Wireshark from Applications menu.

Option B: Install inside VirtualBox Mint VM

If using Mint inside VirtualBox:

Wireshark will capture virtual network traffic (between the VM and host/bridge).

To see real traffic, set VirtualBox Network Adapter to Bridged Mode instead of NAT.

Install as per Option A inside the VM.

🔹 4. Using Wireshark Inside VirtualBox (Windows/macOS Host)

If Wireshark is installed on the host machine (Windows/macOS):

It can see all traffic passing through the host’s adapter (physical Wi-Fi or Ethernet).

If Wireshark is installed inside the VM:

It will only capture traffic visible to the VM.

For best results, switch VirtualBox network setting from NAT → Bridged Adapter so the VM acts like a real device on the same network.

✅ Quick Test After Installation

Open Wireshark.

Select your network interface (Wi-Fi or Ethernet).

Click Start Capturing (blue shark fin).

Open a browser and visit any website (e.g., example.com).

Stop capture.

Apply filter:

dns


You should see your computer asking a DNS server for the IP of the site.