6.5. The "Filter Expression" dialog box
When you are accustomed to Wireshark's filtering system and know what
labels you wish to use in your filters it can be very quick to
simply type a filter string. However if you are new to Wireshark or
are working with a slightly unfamiliar protocol it can be very
confusing to try to figure out what to type. The Filter Expression
dialog box helps with this.
The "Filter Expression" dialog box is an excellent way to learn how to
write Wireshark display filter strings.
Figure 6.6. The "Filter Expression" dialog box
When you first bring up the Filter Expression dialog box you are shown a
tree list of field names, organized by protocol, and a box for
selecting a relation.
Select a protocol field from the protocol field tree.
Every protocol with filterable fields is listed at the
top level. (You can search for a particular protocol
entry by entering the first few letters of the protocol name).
By clicking on the "+" next to a protocol name
you can get a list of the field names available for filtering
for that protocol.
Select a relation from the list of available relation.
is a unary relation which
is true if the selected field is present in a packet. All
other listed relations are binary relations which require additional
data (e.g. a
to match) to complete.
When you select a field from the field name list and select a
binary relation (such as the equality relation ==) you will be
given the opportunity to enter a value, and possibly some range
You may enter an appropriate value in the
text box. The
will also indicate the type of value for the
you have selected (like
Some of the protocol fields have predefined values available, much like
enum's in C. If the selected protocol field has such values defined, you
can choose one of them here.
XXX - add an explanation here!
When you have built a satisfactory expression click
and a filter string will be
built for you.
You can leave the
box without any effect by clicking the