User Guide
Working with captured packets
100
Tip!
You will find a lot of Display Filter examples at the Wireshark Wiki Display Filter page
at http://wiki.wireshark.org/DisplayFilters.
6.4.1. Display filter fields
Every field in the packet details pane can be used as a filter string, this will result in showing only the
packets where this field exists. For example: the filter string: tcp will show all packets containing the tcp
protocol.
There is a complete list of all filter fields available through the menu item "Help/Supported Protocols" in
the page "Display Filter Fields" of the Supported Protocols dialog.
XXX - add some more info here and a link to the statusbar info.
6.4.2. Comparing values
You can build display filters that compare values using a number of different comparison operators. They
are shown in Table 6.4, “Display Filter comparison operators”.
Tip!
You can use English and C-like terms in the same way, they can even be mixed in a filter
string!
Table 6.4. Display Filter comparison operators
English C-like Description and example
eq
==
Equal
ip.src==10.0.0.5
ne
!=
Not equal
ip.src!=10.0.0.5
gt
>
Greater than
frame.len > 10
lt
<
Less than
frame.len < 128
ge
>=
Greater than or equal to
frame.len ge 0x100
le
<=
Less than or equal to
frame.len <= 0x20
In addition, all protocol fields are typed. Table 6.5, “Display Filter Field Types” provides a list of the types
and example of how to express them.