Wireshark Network Threat Forensics by Libor Benes (Dr. B)
3,100 Wireshark display filters for threat hunting, malware C2/beaconing detection, intrusion analysis, exfiltration, lateral movement, credential abuse, and network forensics. • Real-time search. • Fully offline. No Data Collection.
Extension Metadata
About this extension
Wireshark Network Threat Forensics is a security-first, offline Firefox sidebar extension that delivers instant, searchable access to 3,100 carefully curated Wireshark display filters — a unique (albeit logically non-exhaustive) collection focused on real-world network threat detection and digital forensics.
With the signature, hallmark architecture prioritizing the security-first approach, all processing and data are client-side — no telemetry, no network requests, no data collection.
During incident response, malware analysis, threat hunting, red-team/blue-team exercises, and forensic investigations, security professionals need rapid access to proven display filters capable of identifying command-and-control (C2) beaconing, data exfiltration, lateral movement, credential harvesting, ransomware precursors, port scans, MITM attempts, protocol abuse, and many other malicious behaviors.
This extension provides exactly that — a comprehensive, categorized reference of the most effective and up-to-date display filters, drawn from official Wireshark documentation, public cheat sheets, SANS posters, malware traffic analysis reports (Unit 42, Mandiant, Black Hills, etc.), and current 2025–2026 threat intelligence observations.
Purpose:
Rapid, searchable reference for Wireshark display filters — ideal for real-time packet analysis, threat hunting, incident response, malware traffic analysis, red-team/blue-team exercises, and forensic investigations.
About Wireshark:
Wireshark, originally authored as Ethereal in 1998 by Gerald Combs (a computer science graduate of the University of Missouri–Kansas City), is the world's leading open-source network protocol analyzer. It supports two distinct types of filters:
• Capture filters — applied during live capture using BPF syntax (e.g. tcp port 80), used to reduce the volume of recorded traffic.
• Display filters — applied after capture to filter, highlight, and analyze already-recorded packets using Wireshark's own powerful expression language (e.g. http.request.method == "POST" && http.request.uri contains "login").
This extension contains exclusively display filters — the far more expressive, flexible, and forensics-oriented type used for deep inspection of PCAP files or live sessions. It does not include capture filters, which are simpler and far less numerous.
Target Audience:
• Network Security Analysts & Threat Hunters.
• Incident Responders & DFIR Practitioners.
• Malware Reverse Engineers.
• Red Team / Penetration Testers.
• Blue Team / SOC Analysts.
• Forensic Investigators.
• Bug Bounty Hunters.
• Students & Educators in network security.
Key Categories Include:
• Frame & General
• Ethernet / Link Layer
• IP / ICMP / ICMPv6
• TCP Basics & Flags
• TCP Analysis & Errors
• UDP
• DNS (tunneling, DGA, exfil)
• HTTP / HTTPS / TLS (client hints, weak ciphers, downgrade)
• Suspicious / Security / Anomalies (scans, MITM, DoS)
• Malware / C2 / Beaconing Indicators
• Wireless / Wi-Fi / 802.11 (deauth, PMKID, evil twin)
• SMB / Windows Protocols (NTLM, PsExec, WMI)
• Email / SMTP / IMAP / POP (phishing, credential leaks)
• VoIP / RTP / SIP (toll fraud, call spam)
• Miscellaneous / Expert / Custom (rare patterns, high-entropy, shellcode).
Features:
• Real-time dynamic smart search across category, title, filter expression, and description.
• Click-to-copy display filter string with "Copied!" visual feedback.
• Syntax-highlighted filters (monospace) + highlighted search terms (<mark>).
• Terminal-inspired design.
• Fully offline — no network requests, no data collection.
• Compact with instant performance even on 3,100 entries.
Security & Privacy:
• Only one permission: clipboardWrite (required for copy-to-clipboard).
• Zero data collection — explicitly declared in manifest.json.
• No external requests, no analytics, no telemetry.
• No third-party libraries — 100% first-party code.
• Manifest v2 compliant with Mozilla review standards.
Technical Specifications:
• Compatibility: Firefox 109.0+ (64-bit desktop).
• Size: ~532 KB total (minimal memory footprint).
• Performance: Instant filtering on 3,100 entries.
• Tested on: Firefox 147.0.3 (February 2026).
Wireshark Network Threat Forensics brings a unique, powerful, comprehensive, security-first collection of display filters directly into your Firefox sidebar — ready for immediate use in threat hunting and forensic workflows, with complete offline privacy protection.
Happy network threat hunting — stay safe, stay offline.
With the signature, hallmark architecture prioritizing the security-first approach, all processing and data are client-side — no telemetry, no network requests, no data collection.
During incident response, malware analysis, threat hunting, red-team/blue-team exercises, and forensic investigations, security professionals need rapid access to proven display filters capable of identifying command-and-control (C2) beaconing, data exfiltration, lateral movement, credential harvesting, ransomware precursors, port scans, MITM attempts, protocol abuse, and many other malicious behaviors.
This extension provides exactly that — a comprehensive, categorized reference of the most effective and up-to-date display filters, drawn from official Wireshark documentation, public cheat sheets, SANS posters, malware traffic analysis reports (Unit 42, Mandiant, Black Hills, etc.), and current 2025–2026 threat intelligence observations.
Purpose:
Rapid, searchable reference for Wireshark display filters — ideal for real-time packet analysis, threat hunting, incident response, malware traffic analysis, red-team/blue-team exercises, and forensic investigations.
About Wireshark:
Wireshark, originally authored as Ethereal in 1998 by Gerald Combs (a computer science graduate of the University of Missouri–Kansas City), is the world's leading open-source network protocol analyzer. It supports two distinct types of filters:
• Capture filters — applied during live capture using BPF syntax (e.g. tcp port 80), used to reduce the volume of recorded traffic.
• Display filters — applied after capture to filter, highlight, and analyze already-recorded packets using Wireshark's own powerful expression language (e.g. http.request.method == "POST" && http.request.uri contains "login").
This extension contains exclusively display filters — the far more expressive, flexible, and forensics-oriented type used for deep inspection of PCAP files or live sessions. It does not include capture filters, which are simpler and far less numerous.
Target Audience:
• Network Security Analysts & Threat Hunters.
• Incident Responders & DFIR Practitioners.
• Malware Reverse Engineers.
• Red Team / Penetration Testers.
• Blue Team / SOC Analysts.
• Forensic Investigators.
• Bug Bounty Hunters.
• Students & Educators in network security.
Key Categories Include:
• Frame & General
• Ethernet / Link Layer
• IP / ICMP / ICMPv6
• TCP Basics & Flags
• TCP Analysis & Errors
• UDP
• DNS (tunneling, DGA, exfil)
• HTTP / HTTPS / TLS (client hints, weak ciphers, downgrade)
• Suspicious / Security / Anomalies (scans, MITM, DoS)
• Malware / C2 / Beaconing Indicators
• Wireless / Wi-Fi / 802.11 (deauth, PMKID, evil twin)
• SMB / Windows Protocols (NTLM, PsExec, WMI)
• Email / SMTP / IMAP / POP (phishing, credential leaks)
• VoIP / RTP / SIP (toll fraud, call spam)
• Miscellaneous / Expert / Custom (rare patterns, high-entropy, shellcode).
Features:
• Real-time dynamic smart search across category, title, filter expression, and description.
• Click-to-copy display filter string with "Copied!" visual feedback.
• Syntax-highlighted filters (monospace) + highlighted search terms (<mark>).
• Terminal-inspired design.
• Fully offline — no network requests, no data collection.
• Compact with instant performance even on 3,100 entries.
Security & Privacy:
• Only one permission: clipboardWrite (required for copy-to-clipboard).
• Zero data collection — explicitly declared in manifest.json.
• No external requests, no analytics, no telemetry.
• No third-party libraries — 100% first-party code.
• Manifest v2 compliant with Mozilla review standards.
Technical Specifications:
• Compatibility: Firefox 109.0+ (64-bit desktop).
• Size: ~532 KB total (minimal memory footprint).
• Performance: Instant filtering on 3,100 entries.
• Tested on: Firefox 147.0.3 (February 2026).
Wireshark Network Threat Forensics brings a unique, powerful, comprehensive, security-first collection of display filters directly into your Firefox sidebar — ready for immediate use in threat hunting and forensic workflows, with complete offline privacy protection.
Happy network threat hunting — stay safe, stay offline.
Rated 0 by 0 reviewers
Permissions and data
Required permissions:
- Input data to the clipboard
Data collection:
- The developer says this extension doesn't require data collection.
More information
- Add-on Links
- Version
- 1.0
- Size
- 150.99 KB
- Last updated
- 11 days ago (Feb 15, 2026)
- Related Categories
- License
- Mozilla Public License 2.0
- Version History
- Add to collection