Wireshark
Wireshark) is the new name for what was Ethereal. It is a graphical packet sniffer that uses the same libraries as tcpdump.
Display Filters
Display filters have their own syntax, whereas capture filters use tcpdump syntax.
See also: https://www.wireshark.org/docs/man-pages/wireshark-filter.html
Filter by packet data content
Display all packets that contain "foo" in the data section:
data contains foo
contains is a simple substring match, whereas matches is a Perl compatible regex.
Display hosts within a given subnet
ip.addr == 10.57.8.244/30
Display data within a port range
To see all ceph-osd data
tcp.port >= 6800 and tcp.port <= 7300
Show only dns traffic about a certain host
dns.qry.name contains www.rmi.net || dns.resp.name contains www.rmi.net
Show all dns queries that do not have a response
In order for this to work you must perform the capture on the client side, or capture traffic from all DNS servers and combine it.
dns && (dns.flags.response == 0) && ! dns.response_in
IO graphing
Within the Statistic -> IO Graph window, you can create graphs that illustrate trends in traffic
DNS response time stats
Create graphs that have the following data:
| Graph Name | Display Filter | Style | Y Axis | Y Field | SMA Period |
|---|---|---|---|---|---|
| AVG DNS Time | dns | line | AVG(Y Field) | dns.time | 10 interval SMA |
| MAX DNS Time | dns | line | MAX(Y Field) | dns.time | 10 interval SMA |
| MIN DNS Time | dns | line | MIN(Y Field) | dns.time | 10 interval SMA |