Manualshelf

User Guide

ManualsBrandsWireshark ManualsSoftwareWireshark Wireshark - 1.9
111112113114115116117118119120
Working with captured packets
110
first few letters of the protocol name). By clicking on the "+" next to a protocol name
you can get a list of the field names available for filtering for that protocol.
Relation Select a relation from the list of available relation. The is present is a unary relation
which is true if the selected field is present in a packet. All other listed relations are binary
relations which require additional data (e.g. a Value to match) to complete.
When you select a field from the field name list and select a binary relation (such as the equality relation
==) you will be given the opportunity to enter a value, and possibly some range information.
Value You may enter an appropriate value in the Value text box. The Value will also
indicate the type of value for the field name you have selected (like character
string).
Predefined values Some of the protocol fields have predefined values available, much like
enum's in C. If the selected protocol field has such values defined, you can
choose one of them here.
Range XXX - add an explanation here!
OK When you have built a satisfactory expression click OK and a filter string will
be built for you.
Cancel You can leave the Add Expression... dialog box without any effect by clicking
the Cancel button.
6.6. Defining and saving filters
You can define filters with Wireshark and give them labels for later use. This can save time in remembering
and retyping some of the more complex filters you use.
To define a new filter or edit an existing one, select the Capture Filters... menu item from the Capture
menu or the Display Filters... menu item from the Analyze menu. Wireshark will then pop up the Filters
dialog as shown in Figure 6.8, “The "Capture Filters" and "Display Filters" dialog boxes”.
Note!
The mechanisms for defining and saving capture filters and display filters are almost
identical. So both will be described here, differences between these two will be marked as
such.
Warning!
You must use Save to save your filters permanently. Ok or Apply will not save the filters,
so they will be lost when you close Wireshark.