User Guide
English C-like Description and example
ge
>=
Greater than or equal to
frame.pkt_len ge 0x100
le
<=
Less than or equal to
frame.pkt_len <= 0x20
In addition, all protocol fields are typed. Table 6.4, “Display Filter Field Types” provides a list of
the types and example of how to express them.
Table 6.4. Display Filter Field Types
Type Example
Unsigned integer (8-bit, 16-bit, 24-bit, 32-bit)
You can express integers in decimal, octal, or
hexadecimal. The following display filters are
equivalent:
ip.len le 1500
ip.len le 02734
ip.len le 0x436
Signed integer (8-bit, 16-bit, 24-bit, 32-bit)
Boolean
A boolean field is present in the protocol decode
only if its value is true. For example,
tcp.flags.syn is present, and thus true, only if the
SYN flag is present in a TCP segment header.
Thus the filter expression tcp.flags.syn will se-
lect only those packets for which this flag exists,
that is, TCP segments where the segment header
contains the SYN flag. Similarly, to find source-
routed token ring packets, use a filter expression
of tr.sr.
Ethernet address (6 bytes)
Separators can be a colon (:), dot (.) or dash (-)
and can have one or two bytes between separat-
ors:
eth.addr == ff:ff:ff:ff:ff:ff
eth.addr == ff-ff-ff-ff-ff-ff
eth.addr == ffff.ffff.ffff
IPv4 address ip.addr == 192.168.0.1
IPv6 address ipv6.addr == ::1
IPX address ipx.addr == 00000000.ffffffffffff
String (text) http.request.uri == "http://www.wireshark.org/"
6.4.3. Combining expressions
Working with captured packets
111