Eric Partington

RSA NetWitness Query Syntax Compared to Wireshark Display Filters

Blog Post created by Eric Partington Employee on Aug 23, 2018

Wireshark has been around for a long time and the display filters that exist are good reference points to learn about network (packet) traffic as well as how to navigate around various parts of sessions or streams.


Below you will find a handy reference which allows you to cross-reference many of the common Wireshark filters with their respective RSA NetWitness queries. 


This is where I pulled the Wireshark display filters from:  DisplayFilters - The Wireshark Wiki 


Show only SMTP (port 25) and ICMP traffic:

tcp.port eq 25 or icmpservice=25 || ip.proto=1,58 -> (icmp or ipv6 icmp)
tcp.dstport=25 || ip.proto=1,58 -> (icmp or ipv6 icmp)


Show only traffic in the LAN (192.168.x.x), between workstations and servers -- no Internet:

ip.src== and ip.dst== && ip.dst=
direction='lateral' (RFC1918 to RFC1918)


Filter on Windows -- Filter out noise, while watching Windows Client - DC exchanges

smb || nbns || dcerpc || nbss || dnsservice=139,137,135,139,53


Match HTTP requests where the last characters in the uri are the characters "gl=se":

http.request.uri matches "gl=se$"service=80 && query ends 'gl=se'


Filter by a protocol ( e.g. SIP ) and filter out unwanted IPs:

ip.src != && ip.dst != && sipservice=5060 && ip.src! && ip.dst !=


ip.addr == equivalent to

ip.src == or ip.dst ==
ip.src= || ip.dst=


Here's where I pulled some additional filters for mapping:  HTTP Packet Capturing to debug Apache 


View all http traffic



View all flash video stuff

http.request.uri contains "flv" or http.request.uri contains "swf" or http.content_type contains "flash" or http.content_type contains "video"service=80 && ( query contains 'flv' || query contains 'swf' || content contains 'flash' || content contains 'video')


Show only certain responses

http.response.code == 404service=80 && error begins 404
service=80 && result.code ='404'
http.response.code==200service=80 && error !exists (200 are not explicitly captured)
service=80 && result.code !exists (200 are not explicitly captured)


Show only certain http methods

http.request.method == "POST" || http.request.method == "PUT"service=80 && action='post','put'


Show only filetypes that begin with "text"

http.content_type[0:4] == "text"service=80 && filetype begins 'text'
service=80 && filename begins 'text'


Show only javascript

http.content_type contains "javascript"service=80 && content contain 'javascript'


Show all http with content-type="image/(gif|jpeg|png|etc)" §

http.content_type[0:5] == "image"service=80 && content ='image/gif','image/jpeg','image/png','image/etc'


Show all http with content-type="image/gif" §

http.content_type == "image/gif"service=80 && content ='image/gif'


Hope this is helpful for everyone and as always, Happy Hunting!