Detection, Mitigation & Response

Detect and mitigate DDoS attacks in under 1 second, respond automatically, and keep your users informed.

All features →
1-Second Detection
Know the instant traffic spikes. PPS checked every second.
Attack Classification
Identifies 8 attack types with protocol-level confidence scores.
Node Firewall Rules
Per-server iptables, null-routes, CDN rules & scripts.
Cloud Scrubbing
Auto-divert to Cloudflare, OVH, or Hetzner on attack detection.
BGP Mitigation
Auto-deploy FlowSpec, RTBH blackhole & rate-limiting via BGP.
Multi-Channel Alerts
Discord, Slack, PagerDuty, OpsGenie, SMS, email, webhooks.
PCAP Capture
Full packet capture with AI-powered forensic analysis.
Layer 7 Detection
HTTP flood, credential stuffing, API abuse & bot detection.
Automated Runbooks
Chain mitigation steps into automated incident response playbooks.
Analytics Baselines Threat Intel & IOC Multi-Node Status Pages Correlation Audit Log Attack Profiles Flow Collection Mirror / SPAN Mode NEW
Learn
Documentation Quick Start API Reference Agent Setup DDoS Protection Landscape State of DDoS 2026 REPORT Free Certifications
Research & Guides
Mirai Botnet Kill Switch Research memcached Amplification Dynamic Baselines PCAP Forensics PagerDuty Setup
Company
About Us Partners Managed Protection Whitelabel / Reseller Affiliate Program Pay with Crypto System Status
Legal & Support
Contact Us Security Trust Center Terms Privacy SLA
Who Uses Flowtriq

From indie hosts to ISPs, see how teams like yours use Flowtriq to detect and stop DDoS attacks.

All Use Cases → Talk to Us →
Infrastructure
Hosting Providers ISPs MSPs/MSSPs Small Operators Routers Edge Node Defense Proxy Providers VPN Providers
Gaming & Entertainment
Game Server Hosting Game Studios Esports Platforms iGaming & Sportsbooks
Business & Emerging
SaaS Platforms E-Commerce Financial Services Compliance VoIP & Cloud Calling GPU & AI Cloud

Free Tool

Wireshark Display Filter Cheatsheet

Comprehensive, searchable reference of 80+ Wireshark display filters organized by category. Find the right filter instantly, copy it, or build custom compound filters.

Showing all 85 filters

Build Custom Filter

Combine multiple display filters with logical operators. Click "Add Condition" to build compound filters visually.

Why Wireshark Display Filters Matter

Wireshark captures every packet on the wire, but without effective display filters you're looking at a firehose of data. Display filters let you isolate the exact traffic you need — whether you're debugging a slow application, investigating a security incident, or analyzing DDoS attack patterns.

Unlike capture filters (BPF syntax), display filters use Wireshark's own rich expression language and can reference any protocol field that Wireshark dissects. They're applied after capture, so you can refine your view without losing data.

Using Filters for DDoS Detection

Network engineers frequently use Wireshark to analyze DDoS attacks after the fact. Filters like tcp.flags.syn==1 && tcp.flags.ack==0 help identify SYN floods, while dns.qr==0 && udp.length>512 can reveal DNS amplification attempts.

For real-time detection rather than post-incident analysis, Flowtriq monitors your traffic continuously and detects DDoS attacks in under 1 second — before you even have time to open Wireshark.

Protect Your Infrastructure with Flowtriq

Don't wait until you're reading PCAPs after an outage. Detect DDoS attacks in real-time.

Start Your Free Trial

Quick Reference Card

The 20 most essential Wireshark filters for DDoS analysis, organized by use case.

Attack Detection
tcp.flags.syn==1 && tcp.flags.ack==0
udp && frame.len < 100
icmp.type==8
dns.qry.type==255
ntp.priv.reqcode==42
Traffic Analysis
ip.src==x.x.x.x
tcp.port==80 || tcp.port==443
frame.len > 1400
tcp.analysis.retransmission
tcp.analysis.zero_window
Amplification
udp.srcport==53 && frame.len > 512
udp.srcport==123 && frame.len > 468
udp.srcport==11211
udp.srcport==1900
udp.srcport==19
Connection Issues
tcp.flags.reset==1
tcp.analysis.lost_segment
tcp.analysis.duplicate_ack
http.response.code >= 500
tcp.time_delta > 1
Export your results

FAQ

Frequently Asked Questions

What Wireshark display filter detects a DDoS attack?

For SYN floods: tcp.flags.syn==1 && tcp.flags.ack==0. For UDP floods: udp && frame.len < 100. For DNS amplification: dns.flags.response==1 && udp.length > 500. For ICMP floods: icmp && icmp.type==8. These filters isolate attack traffic for source IP analysis.

What is the difference between Wireshark capture filters and display filters?

Capture filters (BPF syntax) run during capture to limit what gets saved to disk. Display filters (Wireshark syntax) apply after capture in the UI. Capture: port 53. Display: dns.qry.name == "example.com". Capture filters cannot be changed after capture starts; display filters can be changed freely.

How do I analyze a DDoS PCAP in Wireshark?

Use Statistics → IO Graph for PPS/BPS visualization, Protocol Hierarchy to see the dominant protocol, Conversations to find top source IPs by volume, and Endpoints for geographic distribution. For SYN floods, add the TCP flags column and sort by tcp.flags.