6.5. The "Filter Expression" dialog box
When you are accustomed to Wireshark's filtering system and know what
labels you wish to use in your filters it can be very quick to
simply type a filter string. However if you are new to Wireshark or
are working with a slightly unfamiliar protocol it can be very
confusing to try to figure out what to type. The Filter Expression
dialog box helps with this.
|
Tip! |
The "Filter Expression" dialog box is an excellent way to learn how to
write Wireshark display filter strings.
|
When you first bring up the Filter Expression dialog box you are shown a
tree list of field names, organized by protocol, and a box for
selecting a relation.
-
Field Name
-
Select a protocol field from the protocol field tree.
Every protocol with filterable fields is listed at the
top level. (You can search for a particular protocol
entry by entering the first few letters of the protocol name).
By clicking on the "+" next to a protocol name
you can get a list of the field names available for filtering
for that protocol.
-
Relation
-
Select a relation from the list of available relation.
The
is present
is a unary relation which
is true if the selected field is present in a packet. All
other listed relations are binary relations which require additional
data (e.g. a
Value
to match) to complete.
When you select a field from the field name list and select a
binary relation (such as the equality relation ==) you will be
given the opportunity to enter a value, and possibly some range
information.
-
Value
-
You may enter an appropriate value in the
Value
text box. The
Value
will also indicate the type of value for the
field name
you have selected (like
character string).
-
Predefined values
-
Some of the protocol fields have predefined values available, much like
enum's in C. If the selected protocol field has such values defined, you
can choose one of them here.
-
Range
-
XXX - add an explanation here!
-
OK
-
When you have built a satisfactory expression click
OK
and a filter string will be
built for you.
-
Cancel
-
You can leave the
Add Expression...
dialog
box without any effect by clicking the
Cancel
button.