Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Wireshark Filter explanations/guide

I am a data scientist analyzing packet data from Wireshark but I do not have a networking background. It's been a laborious process of Googling each filter from the tshark output to build an intuitive understanding of each field, two fields just to illustrate my point: "ip.flags.rb" or "ip.flags." While the shorthand of such fields may have more meaning to an experienced network engineer, most is lost on me. I have reviewed the Wireshark documentation ( and the definitions are:

ip.flags            Flags   Unsigned integer, 2 bytes   1.0.0 to 3.2.2
ip.flags.rb Reserved bit    Boolean                     1.0.0 to 3.2.2

Such a definition doesn't answer critical questions like, "what is the range of integers for ip.flags and what would be the significance of each? Or, "what is the significance of a 1 for ip.flags.rb as opposed to a 0, i.e. why might it matter if a bit is reserved or not?"

My question is, is there a cheat sheet for newbies/non-network engineers with such information? Thus far, it seems like in-depth explanations can occasionally be found in the Wireshark documentation, albeit spread across many chapters. I can also find discussion of individual fields on forums/blogs, but with 273+ fields to try to understand, I'm wondering if there is a better resource I haven't yet found that is available.