User Guide
Working with captured packets
101
Table 6.5. Display Filter Field Types
Type Example
Unsigned integer (8-bit, 16-bit, 24-bit, 32-bit) You can express integers in decimal, octal, or
hexadecimal. The following display filters are
equivalent:
ip.len le 1500
ip.len le 02734
ip.len le 0x436
Signed integer (8-bit, 16-bit, 24-bit, 32-bit)
Boolean A boolean field is present in the protocol decode
only if its value is true. For example, tcp.flags.syn is
present, and thus true, only if the SYN flag is present
in a TCP segment header.
Thus the filter expression tcp.flags.syn will select
only those packets for which this flag exists, that is,
TCP segments where the segment header contains
the SYN flag. Similarly, to find source-routed token
ring packets, use a filter expression of tr.sr.
Ethernet address (6 bytes) Separators can be a colon (:), dot (.) or dash (-) and
can have one or two bytes between separators:
eth.dst == ff:ff:ff:ff:ff:ff
eth.dst == ff-ff-ff-ff-ff-ff
eth.dst == ffff.ffff.ffff
IPv4 address ip.addr == 192.168.0.1
Classless InterDomain Routing (CIDR) notation
can be used to test if an IPv4 address is in a certain
subnet. For example, this display filter will find all
packets in the 129.111 Class-B network:
ip.addr == 129.111.0.0/16
IPv6 address ipv6.addr == ::1
IPX address ipx.addr == 00000000.ffffffffffff
String (text) http.request.uri == "http://www.wireshark.org/"
6.4.3. Combining expressions
You can combine filter expressions in Wireshark using the logical operators shown in Table 6.6, “Display
Filter Logical Operations”
Table 6.6. Display Filter Logical Operations
English C-like Description and example
and && Logical AND
ip.src==10.0.0.5 and tcp.flags.fin