Wireshark Filters Every Network Engineer Should Know: Capturing and Analyzing Cisco IOS-XE Traffic

Wireshark Filters Every Network Engineer Should Know: Capturing and Analyzing Cisco IOS-XE Traffic

Why Network Engineers Need Wireshark in Their Toolkit

When a router CLI shows you everything except the answer you need, Wireshark is where you go next. It doesn’t lie, it doesn’t summarize, and it doesn’t hide Layer 2 frames behind abstraction. Every hello packet, every TCP retransmit, every DHCP DISCOVER that never gets a reply — it’s all there in raw form.

The problem is that most engineers open Wireshark, get slammed with a wall of traffic, and give up on filters entirely. That’s leaving one of the most powerful diagnostic tools in networking half-used. This guide covers the Wireshark display filters that actually move the needle for Cisco IOS-XE work, plus how to get packets off the wire in the first place using SPAN on a Catalyst switch.


Step 1: Getting Packets to Wireshark via Cisco SPAN

Wireshark needs to see traffic it wouldn’t normally receive. On a Cisco Catalyst running IOS-XE, you do that with a SPAN (Switched Port Analyzer) session — also called port mirroring. You mirror one or more source ports to a monitor port where your capture machine sits.

Basic local SPAN on a Catalyst 9000:

! Mirror all traffic from Gi1/0/1 to Gi1/0/48
monitor session 1 source interface GigabitEthernet1/0/1 both
monitor session 1 destination interface GigabitEthernet1/0/48

! Verify the session
SW1# show monitor session 1
Session 1
---------
Type                   : Local Session
Source Ports           :
    Both               : Gi1/0/1
Destination Ports      : Gi1/0/48
    Encapsulation      : Native
          Ingress      : Disabled

If you need to capture a VLAN instead of a single port — useful for broadcast-domain-level issues — mirror the entire VLAN:

monitor session 1 source vlan 10 both
monitor session 1 destination interface GigabitEthernet1/0/48

For remote captures across the network, RSPAN (Remote SPAN) uses a dedicated VLAN to carry mirrored traffic to a remote switch. That’s a longer topic, but the principle is the same: get packets to a destination port where Wireshark can see them.

Once your capture machine is plugged into the destination port, open Wireshark and start capturing on that interface. You’ll see all traffic from the source — in both directions if you specified both.


Capture Filters vs. Display Filters

Before diving into filters, it’s important to know the difference between the two filter types in Wireshark:

  • Capture filters (BPF syntax): Applied at capture time. Only matching packets are stored. Use these when you’re capturing to disk and want to reduce file size. Syntax is different from display filters.
  • Display filters (Wireshark syntax): Applied after capture. All packets are stored, but only matching ones are shown. More flexible and forgiving.

For most troubleshooting workflows, you’ll use display filters. Capture everything first, then drill down. The rest of this guide covers display filter syntax.


Essential Display Filters for Everyday Troubleshooting

Filter by IP Address

ip.addr == 192.168.1.1              ! Any packet to or from this host
ip.src == 192.168.1.1               ! Only packets FROM this host
ip.dst == 10.0.0.1                  ! Only packets TO this host
ip.addr == 192.168.0.0/24           ! Entire subnet
not ip.addr == 192.168.1.1          ! Exclude a host (useful to filter out your own machine)

Filter by Protocol

tcp                                  ! All TCP traffic
udp                                  ! All UDP traffic
icmp                                 ! Ping / ICMP
icmpv6                               ! ICMPv6 (neighbor discovery, router advertisements)
arp                                  ! ARP requests and replies

Filter by Port

tcp.port == 22                       ! SSH
tcp.port == 443                      ! HTTPS
tcp.port == 179                      ! BGP
udp.port == 161                      ! SNMP
udp.port == 67 or udp.port == 68    ! DHCP
tcp.port == 49                       ! TACACS+

Combining Filters

ip.addr == 10.0.0.1 and tcp.port == 179         ! BGP traffic to/from a specific peer
ip.src == 10.0.0.1 and not tcp.port == 22       ! Everything from host except SSH
(ip.addr == 10.0.0.1 or ip.addr == 10.0.0.2) and ospf  ! OSPF between two routers

Cisco Protocol Filters

CDP — Cisco Discovery Protocol

CDP is a Layer 2 protocol that runs between directly connected Cisco devices. If you’re troubleshooting neighbor discovery or trying to confirm topology, capture CDP frames:

cdp

CDP frames are sent every 60 seconds by default. In the capture you’ll see the sending device’s hostname, IOS version, capabilities, and IP addresses — same information as show cdp neighbors detail but raw from the wire.

Verify CDP is running on the switch side:

SW1# show cdp interface GigabitEthernet1/0/1
GigabitEthernet1/0/1 is up, line protocol is up
  Encapsulation ARPA
  Sending CDP packets every 60 seconds
  Holdtime is 180 seconds

LLDP — Link Layer Discovery Protocol

lldp

LLDP is the vendor-neutral equivalent to CDP, used in multi-vendor environments and required when connecting to non-Cisco infrastructure. The Wireshark dissector decodes LLDP TLVs cleanly, showing chassis ID, port ID, system name, and capabilities.

STP / RSTP — Spanning Tree Protocol

Spanning Tree issues — topology changes, port state transitions, root bridge elections — are notoriously hard to catch with CLI alone because they’re often transient. Wireshark gives you the full picture:

stp

In the STP packets you’ll see BPDUs with the root bridge ID, root path cost, port ID, and BPDU type. For RSTP, look for Proposal/Agreement handshakes (BPDU flags field: Proposal bit and Agreement bit).

If you’re seeing unexpected topology changes, filter specifically for TCN (Topology Change Notification) BPDUs:

stp.flags.tc == 1

This isolates BPDUs with the Topology Change flag set — telling you exactly which port is triggering the TC, which you can then trace back to the source.

To cross-reference what the switch sees during the capture:

SW1# show spanning-tree detail
 VLAN0010 is executing the rstp compatible Spanning Tree protocol
  Bridge Identifier has priority 32778, sysid 10, address aabb.cc00.0100
  ...
  Number of topology changes 3 last change occurred 00:02:15 ago
          from GigabitEthernet1/0/5

OSPF — Open Shortest Path First

OSPF runs directly over IP (protocol 89) and uses multicast addresses 224.0.0.5 (All OSPF Routers) and 224.0.0.6 (All Designated Routers). The Wireshark filter is simply:

ospf

Common OSPF troubleshooting scenarios with Wireshark:

Adjacency never reaches FULL state — capture Hello packets and check for mismatched parameters:

ospf.v2.type == 1                    ! Only Hello packets (type 1)

In the Hello packet details, verify these match on both sides: Hello/Dead intervals, Area ID, Authentication type, Stub area flag, and Subnet mask. A mismatch in any of these prevents adjacency. This is a great complement to the IOS-XE debug commands — for a deeper look at OSPF adjacency failures, see our OSPF troubleshooting guide.

Flapping adjacency — filter for DBD and LS Update exchanges to see if the adjacency is cycling through Init → 2-Way → ExStart → Exchange → Loading:

ospf.v2.type == 2                    ! Database Description (DBD) packets
ospf.v2.type == 4                    ! LS Update packets
ospf.v2.type == 3                    ! LS Request packets

On the router side, cross-reference with:

R1# debug ip ospf adj
*Jul 14 09:12:05.222: OSPF-1 ADJ   Gi0/0: Neighbor 10.0.0.2, state INIT -> 2WAY
*Jul 14 09:12:05.224: OSPF-1 ADJ   Gi0/0: Neighbor 10.0.0.2, state 2WAY -> EXSTART

BGP — Border Gateway Protocol

BGP runs over TCP port 179. Unlike OSPF, BGP is unicast and connection-oriented, making it easier to isolate:

bgp

Or filter for a specific BGP peer session:

ip.addr == 10.0.0.1 and bgp

In Wireshark, BGP messages are decoded with full detail — OPEN messages show AS number, Hold Time, and capabilities (4-byte AS, route refresh, multiprotocol extensions). UPDATE messages show withdrawn routes and NLRI. NOTIFICATION messages — the BGP equivalent of a hard reset — show the error code and subcode, which is essential for diagnosing why a session dropped.

Useful BGP-specific filters:

bgp.type == 1                        ! OPEN messages only
bgp.type == 2                        ! UPDATE messages only
bgp.type == 3                        ! NOTIFICATION messages (session errors)
bgp.type == 4                        ! KEEPALIVE messages
bgp.notify.major_error == 6          ! Cease notification (peer admin shutdown)

Understanding BGP behavior at the packet level pairs well with knowing the route policies in play — see our guide on how BGP runs the internet for context on what you’re seeing in those UPDATE messages.

HSRP / VRRP — First-Hop Redundancy

hsrp                                 ! HSRP hellos and state changes
vrrp                                 ! VRRP advertisements

HSRP uses UDP port 1985 on both versions. HSRPv1 multicasts to 224.0.0.2; HSRPv2 multicasts to 224.0.0.102. When capturing HSRP, you’ll see priority values and state in each hello — useful for confirming active/standby roles and catching unexpected preemption events.

DHCP

DHCP is UDP-based (client port 68, server port 67). The four-way exchange — DISCOVER, OFFER, REQUEST, ACK — is easy to follow in Wireshark:

dhcp
! Or use the older filter:
bootp

To find a specific client’s DHCP exchange by MAC address:

dhcp.hw.mac_addr == aa:bb:cc:dd:ee:ff

For DHCP starvation attacks (someone flooding DISCOVER packets), this filter shows the scope of it fast:

dhcp.option.dhcp == 1                ! Only DISCOVER messages

Practical Scenarios: End-to-End Troubleshooting Workflows

Scenario 1: Is OSPF actually sending Hellos?

A neighbor that never comes up can be caused by a configuration issue, an ACL dropping OSPF, or a Layer 2 problem. Wireshark answers this definitively:

! Filter: ospf.v2.type == 1
! What you should see: Hellos every 10 seconds (default) from each neighbor's interface IP
! What indicates a problem: Hellos from only one side, or no Hellos at all

If you see no Hellos, check that OSPF is enabled on the interface:

R1# show ip ospf interface GigabitEthernet0/0
GigabitEthernet0/0 is up, line protocol is up
  Internet Address 10.0.0.1/30, Area 0, Attached via Network Statement
  Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 1
  Transmit Delay is 1 sec, State DR, Priority 1
  Hello due in 00:00:04

If you see Hellos from only one side, check for an ACL on the remote end blocking protocol 89 or the OSPF multicast addresses:

R2# show ip access-lists
  ! Look for entries denying protocol 89, or blocking 224.0.0.5 (All OSPF Routers)

Scenario 2: BGP session keeps dropping

! Filter: ip.addr == PEER_IP and bgp
! Look for: NOTIFICATION messages — they contain the exact error code
! BGP error code 4 = Hold Timer Expired (keepalives not arriving in time)
! BGP error code 6 = Cease (usually admin shutdown or reset)

If you see BGP OPEN followed immediately by NOTIFICATION, the session is being rejected. Expand the NOTIFICATION in Wireshark — Error Code and Error Subcode tell you exactly why. For example, Error Code 2 Subcode 2 means “Bad Peer AS” — the remote router is rejecting the session because your AS number doesn’t match what it expects.

Scenario 3: VLAN traffic not reaching the right ports

When packets should be on a VLAN but aren’t arriving, capture on the trunk port and filter by VLAN tag:

vlan.id == 10                        ! Only traffic tagged with VLAN 10
vlan.id == 10 and ip.dst == 10.10.10.1   ! VLAN 10 traffic to a specific host

If you see frames on the trunk without the expected 802.1Q tag, the sending port may be misconfigured as an access port or the native VLAN is stripping the tag. Cross-reference with the interface config and VLAN database — our guide on VLAN segmentation covers the full config side of this.


Using tshark for CLI-Based Analysis

On a Linux jump box or monitoring server, tshark (the CLI version of Wireshark) lets you run the same filters without a GUI. This is especially useful for automated analysis or when you’re on a remote system via SSH:

# Install on Debian/Ubuntu
apt-get install -y tshark

# Live capture with display filter
tshark -i eth0 -f "host 10.0.0.1" -Y "ospf"

# Read a .pcap file and apply a display filter
tshark -r capture.pcap -Y "bgp.type == 3"

# Capture DHCP and show specific fields
tshark -i eth0 -Y "dhcp" -T fields -e dhcp.hw.mac_addr -e dhcp.option.dhcp -e ip.src

# Capture BGP NOTIFICATION messages, show error codes
tshark -r bgp_capture.pcap -Y "bgp.type == 3" \
  -T fields -e ip.src -e ip.dst \
  -e bgp.notify.major_error \
  -e bgp.notify.minor_error

tshark output can be piped into grep, awk, or Python for scripted analysis — very useful for parsing large captures looking for specific events.


Pro Tips for Efficient Wireshark Workflows

Follow TCP Stream

Right-click any packet in a TCP session → “Follow” → “TCP Stream”. Wireshark reconstructs the full conversation in order, showing the raw data exchange. For BGP or TACACS+ sessions this is invaluable — you can read the negotiation payload directly.

Coloring Rules

Go to View → Coloring Rules to highlight protocol families. A standard setup highlights OSPF in green, BGP in blue, TCP retransmits in red, and ICMP unreachables in orange. This makes multi-protocol captures significantly easier to parse visually.

Export Specific Packets

File → Export Specified Packets lets you export only the packets matching the current display filter to a new .pcap file. This is the right way to share a subset of a capture with a vendor TAC case — strip it down to just the relevant traffic and send a clean file.

Statistics → Conversations

The Conversations view (Statistics → Conversations) gives you a ranked list of all IP pairs by byte count and packet count. In a network issue, this immediately shows you which hosts are talking most — useful for spotting unexpected bandwidth consumers or flood sources before you even apply a display filter.


Quick Reference: Common Wireshark Filters for Cisco Engineers

! Routing Protocols
ospf                                 ! All OSPF
ospf.v2.type == 1                    ! OSPF Hellos only
bgp                                  ! All BGP
bgp.type == 3                        ! BGP NOTIFICATIONs (session errors)
eigrp                                ! EIGRP

! Layer 2 / Discovery
cdp                                  ! Cisco Discovery Protocol
lldp                                 ! Link Layer Discovery Protocol
stp                                  ! Spanning Tree (all types)
stp.flags.tc == 1                    ! STP Topology Change BPDUs

! First-Hop Redundancy
hsrp                                 ! HSRP (v1 and v2)
vrrp                                 ! VRRP

! Management / Control
dhcp                                 ! DHCP (all messages)
dns                                  ! DNS queries and responses
ntp                                  ! NTP sync traffic
snmp                                 ! SNMP polls and traps
tcp.port == 22                       ! SSH management sessions
tcp.port == 23                       ! Telnet (should not be present)
tcp.port == 49                       ! TACACS+ authentication

! Filtering Tricks
stp.flags.tc == 1                    ! STP topology change flag
vlan.id == 10                        ! 802.1Q tagged VLAN 10 frames
tcp.analysis.retransmission          ! TCP retransmits (congestion/loss indicator)
tcp.analysis.zero_window             ! TCP zero window (receiver buffer full)
icmp.type == 3                       ! ICMP Destination Unreachable

Putting It All Together

Wireshark doesn’t replace the CLI — it complements it. The CLI tells you the current state; Wireshark tells you what happened to get there. An OSPF adjacency stuck in INIT makes sense once Wireshark shows you that Hellos are arriving from only one side. A BGP session that keeps dropping makes sense once Wireshark reveals NOTIFICATION messages with error code 4 (Hold Timer Expired) — which points you directly at an MTU or transit delay issue killing keepalives.

The filters in this guide cover the protocols you’ll encounter daily on Cisco IOS-XE networks. Build a profile of your go-to filters, save them as Wireshark filter buttons (the “+” next to the filter bar), and they become a one-click diagnostic that takes seconds to apply during a live outage.

Get comfortable with SPAN configuration on your Catalyst switches — once that’s set up, pulling a packet capture from any segment in your network becomes a standard part of the troubleshooting toolkit, not a last resort.

Enjoying this post?

Get more guides like this delivered straight to your inbox. No spam, just tech and trails.