Wireshark) is the new name for what was Ethereal. It is a graphical packet sniffer that uses the same libraries as tcpdump.
Display filters have their own syntax, whereas capture filters use tcpdump syntax.
Filter by packet data content
Display all packets that contain "foo" in the data section:
data contains foo
contains is a simple substring match, whereas
matches is a Perl compatible regex.
Display hosts within a given subnet
ip.addr == 10.57.8.244/30
Display data within a port range
To see all ceph-osd data
tcp.port >= 6800 and tcp.port <= 7300
Show only dns traffic about a certain host
dns.qry.name contains www.rmi.net || dns.resp.name contains www.rmi.net
Show all dns queries that do not have a response
In order for this to work you must perform the capture on the client side, or capture traffic from all DNS servers and combine it.
dns && (dns.flags.response == 0) && ! dns.response_in
Within the Statistic -> IO Graph window, you can create graphs that illustrate trends in traffic
DNS response time stats
Create graphs that have the following data:
|Graph Name||Display Filter||Style||Y Axis||Y Field||SMA Period|
|AVG DNS Time||dns||line||AVG(Y Field)||dns.time||10 interval SMA|
|MAX DNS Time||dns||line||MAX(Y Field)||dns.time||10 interval SMA|
|MIN DNS Time||dns||line||MIN(Y Field)||dns.time||10 interval SMA|