If neither ip.addr field is 192.168.4.1, then the packet is displayed. If one ip.addr is 192.168.4.1, the packet does not pass. The second filter says "don't show me any packets that have an ip.addr field equal to 192.168.4.1". The other ip.addr could equal 192.168.4.1 and the packet would still be displayed. That is, as long as one ip.addr in the packet does not equal 192.168.4.1, the packet passes the display filter. The first filter says "show me packets where an ip.addr exists that does not equal 192.168.4.1".
The following two expressions are not equivalent: Likewise, "tr.rif.ring" fields can occur more than once per packet. "ip.addr" occurs twice per IP packet, once for the source address, and once for the destination address. The third filter expression includes the constraint that offset 199 in the frame exists, in other words the length of the frame is at least 200.Ī special caveat must be given regarding fields that occur more than once per packet. The second filter expression means "show me the packets where not (llc exists)", or in other words "where llc does not exist" and hence will match all packets that do not contain the llc protocol. This means that the first filter expression must be read as "show me the packets for which tcp.port exists and equals 80, and ip.src exists and equals 192.168.2.1". The "exists" operator has the highest priority. Remember that whenever a protocol or field name occurs in an expression, the "exists" operator is implicitly called. The comparison operators can be expressed either through English-like abbreviations or through C-like symbols: Comparison operatorsįields can also be compared against values. Think of a protocol or field in a filter as implicitly having the "exists" operator. To see all packets that contain a Token-Ring RIF field, use "tr.rif". If you want to see all packets which contain the IP protocol, the filter would be "ip" (without the quotation marks). The simplest filter allows you to check for the existence of a protocol or field. FILTER SYNTAX Check whether a field or protocol exists A comprehensive reference of filter fields can be found within Wireshark and in the display filter reference at. Display filters let you compare the fields within a protocol against a specific value, compare fields against fields, and check the existence of specified fields or protocols.įilters are also used by other features such as statistics generation and packet list colorization (the latter is only available to Wireshark). If a packet meets the requirements expressed in your filter, then it is displayed in the list of packets. Wireshark and TShark share a powerful filter engine that helps remove the noise from a packet trace and lets you see only the packets that interest you. Wireshark-filter - Wireshark filter syntax and reference SYNOPSIS
0 kommentar(er)
