Wireshark Filter Syntax

Filter Syntax
-------------------------------------------------------------

The simplest filter allows you to check the existence of a protocol or a field. If you want to see all the packets that use the IP protocol, the filter is "IP" (without the quotation marks). To see all packets containing the token-ring RIF field, use "Tr.rif".
You can use the "exist" operator to see if a protocol or field exists.
Note: The names of all protocols and fields can be obtained in the filter reference.

Comparison operators
-------------------------------------------------------------

A field can be compared with a value. Comparison operators can use shorthand like English, or C-language characters.
eq,== equals
ne,!= Not equal to
Gt,> than ... Big
lt,< than ... Small
ge,>= greater than or equal to
le,<= less than or equal to

Search comparison Operators
--------------------------------------------------------------
There are also some operators that can only use class English shorthand, and cannot use the Class C language shorthand.
Contains judge a protocol, a field or a shard contains a value
Matches judge a protocol or string to match a given Perl expression

The "contains" operator allows a filter to search for a string of characters in the form of strings, or bytes, or byte groups. For example, when searching for an HTTP URL address, you can use the following filter:
HTTP contains "http://www.wireshark.org";
The "contains" operator cannot be used for atomic type fields, such as numbers and IP addresses.

The "matches" operator allows a filter to use a Perl-compatible regular expression (PCRE). The "matches" operator can only be applied to protocol fields of protocol or string type. For example: Searching for a given WAP WSP user-agent, you can write a filter like this:
Wsp.user_agent matches "(? i) CLDC"

Function
-------------------------------------------------------------
The language of the filter also has the following functions:
Upper (String-field)-Converts a string to uppercase
Lower (String-field)-Converts a string to lowercase

Upper (and lower (useful when dealing with case-sensitive string comparisons.) For example:
Upper (Ncp.nds_stream_name) contains "MACRO"
Lower (mount.dump.hostname) = = "Angel"

protocol field type
---------------------------------------------------------------
The fields for each protocol have a specified type. These types are:
unsigned integer unsigned integer (8-bit, 16-bit, 24-bit, 32-bit)
Signed integer signed integer (8-bit, 16-bit, 24-bit, 32-bit)
Boolean Boolean value
Ethernet Address Ethernet addresses (6 bytes)
byte array of array bytes
IPV4 Address IPv4
IPV6 Address IPv6
IPX Network number IPX NET address
Text string literal string
Double-precision floating point number double-precision float value

An integer can have three representation methods, decimal, octal, and hexadecimal. The following three examples are the same:

Frame.pkt_len>10
frame.pkt_len>012
Frame.pkt_len>0xa

The Boolean value is either True or false. In the display filter that tests a Boolean type field, the value of "true" is equivalent to 1 or other non-0 values, and "false" is 0.
For example, a source-routed field in a token Ring packet is a Boolean. Locate the source-routed packet, and you can write a filter like this:
Tr.sr==1

A non-source routed packet can use such a filter:
Tr.sr==0

The Ethernet address and byte array are represented in hexadecimal notation. 16 binary digits can be ":" "." "-" delimited. For example:

ETH.DST eq ff:ff:ff:ff:ff:ff
Aim.data = = 0.1.0.d
FDDI.SRC = = Aa-aa-aa-aa-aa-aa
Echo.data = = 7a

The IPV4 address can be expressed as a decimal point or as a host name. For example:

IP.DST eq www.mit.edu
IP.SRC = = 192.168.1.1

IPV4 addresses can be compared to numbers, using relationship symbol comparisons: Eq,ne,gt,ge,lt and Le. IPV4 addresses are stored in host order, so you don't have to worry about the end of the IPV4 address when you use the display filter.

CIDR notation is also available when using IPv4 subnetting. For example, the following filters can find all 129.111 packets:
Ip.addr==129.111.0.0/16

Remember that the number behind the slash is used to represent the number of bits that the subnet occupies. CIDR notation is also used to find host names, such as the IP address of the host "Sneezy" in a Class C network.
IP.ADDR eq sneezy/24

Wireshark Filter Syntax