User Guide
English C-like Description and example
ge
>=
Greater than or equal to
frame.len ge 0x100
le
<=
Less than or equal to
frame.len <= 0x20
In addition, all protocol fields are typed. Table 6.4, “Display Filter Field Types” provides a list of
the types and example of how to express them.
Table 6.4. Display Filter Field Types
Type Example
Unsigned integer (8-bit, 16-bit, 24-bit, 32-bit)
You can express integers in decimal, octal, or
hexadecimal. The following display filters are
equivalent:
ip.len le 1500
ip.len le 02734
ip.len le 0x436
Signed integer (8-bit, 16-bit, 24-bit, 32-bit)
Boolean
A boolean field is present in the protocol decode
only if its value is true. For example,
tcp.flags.syn is present, and thus true, only if the
SYN flag is present in a TCP segment header.
Thus the filter expression tcp.flags.syn will se-
lect only those packets for which this flag exists,
that is, TCP segments where the segment header
contains the SYN flag. Similarly, to find source-
routed token ring packets, use a filter expression
of tr.sr.
Ethernet address (6 bytes)
Separators can be a colon (:), dot (.) or dash (-)
and can have one or two bytes between separat-
ors:
eth.dst == ff:ff:ff:ff:ff:ff
eth.dst == ff-ff-ff-ff-ff-ff
eth.dst == ffff.ffff.ffff
IPv4 address
ip.addr == 192.168.0.1
Classless InterDomain Routing (CIDR) notation
can be used to test if an IPv4 address is in a cer-
tain subnet. For example, this display filter will
find all packets in the 129.111 Class-B network:
ip.addr == 129.111.0.0/16
IPv6 address ipv6.addr == ::1
Working with captured packets
115