Wireshark provides a simple but powerful display filter language that allows you
to build quite complex filter expressions. You can compare
values in packets as well as combine expressions into more
specific expressions. The following sections provide more
information on doing this.
Every field in the packet details pane can be used as a filter
string, this will result in showing only the packets where this field
exists. For example: the
filter string: tcp will show all packets containing the
tcp protocol.
There is a complete list of all filter fields available
through the menu item "Help/Supported Protocols" in the page "Display Filter
Fields" of the Supported Protocols dialog.
XXX - add some more info here and a link to the statusbar info.
You can express integers in decimal, octal, or
hexadecimal. The following display filters are
equivalent:
ip.len le 1500
ip.len le 02734
ip.len le 0x436
Signed integer (8-bit, 16-bit, 24-bit, 32-bit)
Boolean
A boolean field is present in the protocol decode
only if its value is true. For example,
tcp.flags.syn is present, and
thus true, only if the SYN flag is present in a
TCP segment header.
Thus the filter expression
tcp.flags.syn will select only
those packets for which this flag exists, that is,
TCP segments where the segment header contains the
SYN flag. Similarly, to find source-routed token
ring packets, use a filter expression of
tr.sr.
Ethernet address (6 bytes)
Separators can be a colon
(:), dot (.) or dash (-) and can have one or
two bytes between separators:
Classless InterDomain Routing (CIDR) notation
can be used to test if an IPv4 address is in a
certain subnet. For example, this display filter
will find all packets in the 129.111 Class-B
network:
Wireshark allows you to select subsequences of a
sequence in rather elaborate ways. After a label you
can place a pair of brackets [] containing a comma
separated list of range specifiers.
eth.src[0:3] == 00:00:83
The example above uses the n:m format to specify a
single range. In this case n is the beginning offset
and m is the length of the range
being specified.
eth.src[1-2] == 00:83
The example above uses the n-m format to specify a
single range. In this case n is the beginning offset
and m is the ending offset.
eth.src[:4] == 00:00:83:00
The example above uses the :m format, which takes
everything from the beginning of a sequence to offset m.
It is equivalent to 0:m
eth.src[4:] == 20:20
The example above uses the n: format, which takes
everything from offset n to the end of the
sequence.
eth.src[2] == 83
The example above uses the n format to specify a
single range. In this case the element in the
sequence at offset n is selected. This is equivalent
to n:1.
Wireshark allows you to string together single ranges
in a comma separated list to form compound ranges as
shown above.
6.4.4. A common mistake
Warning!
Using the != operator on combined expressions like: eth.addr, ip.addr,
tcp.port, udp.port and alike will probably not work as expected!
Often people use a filter string to display something like
ip.addr == 1.2.3.4 which will display all packets
containing the IP address 1.2.3.4.
Then they use ip.addr != 1.2.3.4 to see all packets
not containing the IP address 1.2.3.4 in it. Unfortunately, this does
not do the expected.
Instead, that expression will even be true for packets where either
source or destination IP address equals 1.2.3.4. The reason for this,
is that the expression ip.addr != 1.2.3.4 must be read as "the
packet contains a field named ip.addr with a value
different from 1.2.3.4". As an IP datagram contains both a source and
a destination address, the expression will evaluate to true whenever
at least one of the two addresses differs from 1.2.3.4.
If you want to
filter out all packets containing IP datagrams to or from IP address
1.2.3.4, then the correct filter is !(ip.addr == 1.2.3.4) as it
reads "show me all the packets for which it is not true
that a field named ip.addr exists with a value of 1.2.3.4", or in
other words, "filter out all packets for which there are
no occurrences of a field named ip.addr with the value 1.2.3.4".
Published under the terms fo the GNU General Public License