⌥+⌃AltPlusCtrl

Wireshark Keyboard Shortcuts

Wireshark's shortcut set is built around a workflow of capturing traffic, then filtering and drilling into an overwhelming volume of packets to find the handful that actually matter, and its most-used shortcuts reflect that filtering-first mentality more than general navigation. Ctrl+/ to jump into the display filter bar is arguably the single most important shortcut, since writing and refining filter expressions (like http.request or ip.addr == 10.0.0.1) is how virtually all real analysis happens rather than scrolling through a raw unfiltered packet list. Because captures can run into the hundreds of thousands of packets on a busy network, Wireshark also provides dedicated shortcuts for jumping directly to the next/previous packet matching the current filter, letting you step through only the relevant subset rather than the entire capture, which is a meaningfully different navigation pattern than most other software's next/previous conventions. Coloring rules, which apply custom background and text colors to packets matching specific filter criteria, extend the same filter syntax used for the main display filter into a persistent visual highlighting system, making certain traffic patterns (like TCP retransmissions or DNS errors) visually jump out while scanning a capture rather than requiring constant re-filtering to spot them. Because Wireshark can decode hundreds of different protocols out of the box, the protocol hierarchy statistics view — showing what percentage of a capture's packets belong to each protocol — is often the fastest way to get an initial sense of what's actually happening in an unfamiliar capture before diving into detailed filtering. Manual packet marking and time referencing serve a more surgical purpose than filtering or coloring rules — marking flags individual packets you personally want to revisit while scrolling through a capture by eye, and setting a time reference recalculates the delta-time column relative to a chosen starting packet, both useful for measuring or annotating a specific sequence of events rather than isolating a broader category of traffic the way a filter expression does.

Capture Control

ActionWindowsMacDescription
Start packet captureCtrl+ECmd+EStarts capturing traffic on the selected network interface, the entry point for any live analysis session as opposed to opening a previously saved capture file.
Stop packet captureCtrl+E (toggle)Cmd+EStops the currently running capture, sharing the same toggle shortcut as starting it — pressed again once capture is active, it stops rather than starts.
Save capture fileCtrl+SCmd+SSaves the current capture as a .pcap/.pcapng file, standard convention for preserving a capture for later analysis or sharing with a colleague.
Export specified packetsFile menu > Export Specified PacketsSaves only a filtered subset of the current capture to a new file, useful for sharing a relevant slice of a large capture with a colleague without sending the entire unfiltered dataset.

Filtering

ActionWindowsMacDescription
Jump to display filter barCtrl+/Cmd+/Moves keyboard focus directly to the display filter input field, the single most-used shortcut in Wireshark given how central filter expressions are to isolating relevant packets out of a large capture.
Apply typed display filterEnter (in filter bar)Applies the currently typed filter expression to the packet list, narrowing the displayed packets to only those matching the filter's criteria.
Clear current display filterCtrl+/ then select-all+Delete (no single default clear key)Clears an active filter to return to viewing all captured packets, typically done by selecting and deleting the filter text rather than a single dedicated clear shortcut in most versions.
Open Coloring Rules editorView menu > Coloring RulesOpens the editor for defining custom background and text colors applied to packets matching specific filter criteria, extending the same filter syntax into a persistent visual highlighting system for scanning a capture.
Open filter expression builderButton next to filter bar (no default keystroke)Opens a guided dialog for constructing a display filter expression from field names and comparison operators without needing to already know the exact filter syntax by memory, useful while still learning Wireshark's filter language.

Packet Navigation

ActionWindowsMacDescription
Jump to next packetCtrl+DownCmd+DownMoves selection to the next packet in the (possibly filtered) list, letting you step through packets sequentially without using the mouse.
Find packet by contentCtrl+FCmd+FOpens a search dialog to find a packet by string, hex value, or filter expression, distinct from the display filter since it searches within the currently displayed packet set for a specific match rather than filtering the whole list.
Open Protocol Hierarchy statisticsStatistics menu > Protocol HierarchyBreaks the capture down by protocol and shows what share of packets belong to each one — a quick way to get oriented in an unfamiliar capture before you've written a single filter expression to narrow things down.
Follow TCP/UDP streamRight-click packet > Follow > TCP StreamStitches every packet in a selected connection back into one readable data stream, so you get the whole exchange laid out at once instead of manually correlating dozens of individual captures.
Mark/unmark focused packetCtrl+MCmd+MToggles a visual mark on the selected packet, useful for flagging specific packets of interest while manually scanning through a capture, distinct from a filter or coloring rule since it's a manual, packet-by-packet annotation.
Set packet as time referenceCtrl+TCmd+TSets the selected packet as a zero-point time reference, causing subsequent packets' displayed time column to show elapsed time relative to that reference packet rather than the capture start, useful for measuring duration between two specific events.

Frequently Asked Questions

What's the difference between a capture filter and a display filter in Wireshark?

Capture filters (set before capturing starts) determine which packets are recorded at all, using a different, more limited syntax based on the older BPF format. Display filters, applied after capture, hide or show packets from what's already been recorded, using Wireshark's own richer filter syntax and can be changed repeatedly without needing to re-capture traffic.

Why does Wireshark sometimes require administrator/root privileges to capture traffic?

Capturing live network traffic requires putting a network interface into promiscuous mode and accessing raw packet data at the OS level, both of which require elevated privileges on most operating systems as a security measure, since unrestricted packet capture could otherwise let any user eavesdrop on network traffic without authorization.

Can I apply a display filter directly from a specific field in a packet I'm already looking at?

Yes — right-clicking any field in the packet detail pane offers 'Apply as Filter' options that automatically construct and apply a filter expression based on that field's value, which is often faster and less error-prone than typing the filter syntax manually from scratch.

What's the fastest way to understand what's in a capture I didn't create myself?

Opening Protocol Hierarchy statistics gives an immediate breakdown of what percentage of packets belong to each protocol Wireshark decoded, which is generally faster for orienting yourself in an unfamiliar capture than diving straight into writing detailed display filters without any sense of what traffic is actually present.

Can I see an entire conversation's content rather than piecing together individual packets?

Yes, the Follow Stream feature reconstructs the full data exchanged in a TCP or UDP connection into one readable view, which is considerably easier than manually reading through and mentally reassembling dozens of individual packets belonging to the same conversation.

Do coloring rules use the same syntax as display filters?

Yes, coloring rules are built using the identical display filter expression syntax, just applied persistently to visually highlight matching packets with a custom color rather than hiding non-matching ones, letting specific patterns like retransmissions stand out visually while still viewing the full unfiltered packet list.

What is the Expression Builder, and when should I use it instead of typing a filter directly?

The Expression Builder is a guided dialog that lets you construct a display filter by browsing field names and selecting comparison operators rather than typing filter syntax from memory, most useful while still learning which of Wireshark's hundreds of protocol fields corresponds to what you're trying to isolate, though experienced users typically type filters directly once familiar with common expressions.