User Guide
6.4. Building display filter expressions
Wireshark provides a simple but powerful display filter language that you can build quite complex
filter expressions with. You can compare values in packets as well as combine expressions into
more specific expressions. The following sections provide more information on doing this.
Tip!
You will find a lot of Display Filter examples at the Wireshark Wiki Display Filter
page at http://wiki.wireshark.org/DisplayFilters.
6.4.1. Display filter fields
Every field in the packet details pane can be used as a filter string, this will result in showing only
the packets where this field exists. For example: the filter string: tcp will show all packets contain-
ing the tcp protocol.
There is a complete list of all filter fields available through the menu item "Help/Supported Proto-
cols" in the page "Display Filter Fields" of the upcoming dialog.
XXX - add some more info here and a link to the statusbar info.
6.4.2. Comparing values
You can build display filters that compare values using a number of different comparison operators.
They are shown in Table 6.3, “Display Filter comparison operators”.
Tip!
You can use English and C-like terms in the same way, they can even be mixed in a
filter string!
Table 6.3. Display Filter comparison operators
English C-like Description and example
eq
==
Equal
ip.addr==10.0.0.5
ne
!=
Not equal
ip.addr!=10.0.0.5
gt
>
Greater than
frame.pkt_len > 10
lt
<
Less than
frame.pkt_len < 128
Working with captured packets
110