Remember, the number after the slash represents the number of bits used to represent the network. For example, this display filter will find all packets in the 129.111 Class-B network: ip.addr = 129.111.0.0/16 The IPv4 address is stored in host order, so you do not have to worry about the endianness of an IPv4 address when using it in a display filter.Ĭlassless InterDomain Routing (CIDR) notation can be used to test if an IPv4 address is in a certain subnet. IPv4 addresses can be compared with the same logical relations as numbers: eq, ne, gt, ge, lt, and le. IPv4 addresses can be represented in either dotted decimal notation or by using the hostname: ip.dst eq ip.src = 192.168.1.1 The hex digits may be separated by colons, periods, or hyphens: eth.dst eq ff:ff:ff:ff:ff:ff Non source-routed packets can be found with: tr.sr = 0Įthernet addresses and byte arrays are represented by hex digits. To find any source-routed packets, a display filter would be: tr.sr = 1 For example, a token-ring packet's source route field is Boolean. In a display filter expression testing the value of a Boolean field, "true" is expressed as 1 or any other non-zero value, and "false" is expressed as zero. The comparison operators can be expressed either through English-like abbreviations or through C-like symbols: eq, = Equalīoolean values are either true or false.
Comparison operatorsįields can also be compared against values. Think of a protocol or field in a filter as implicitly having the "exists" operator. To see all packets that contain a Token-Ring RIF field, use "tr.rif". If you want to see all packets which contain the IP protocol, the filter would be "ip" (without the quotation marks). The simplest filter allows you to check for the existence of a protocol or field. FILTER SYNTAX Check whether a field or protocol exists A comprehensive reference of filter fields can be found within Wireshark and in the display filter reference at. Display filters let you compare the fields within a protocol against a specific value, compare fields against fields, and check the existence of specified fields or protocols.įilters are also used by other features such as statistics generation and packet list colorization (the latter is only available to Wireshark).
If a packet meets the requirements expressed in your filter, then it is displayed in the list of packets. Wireshark and TShark share a powerful filter engine that helps remove the noise from a packet trace and lets you see only the packets that interest you. Wireshark [ -Y "display filter expression" | b Wireshark-filter - Wireshark display filter syntax and reference SYNOPSIS
0 kommentar(er)
