WIRESHARK FILTERS

March 4, 2019


Comparison operators
eq, == Equal
ne, != Not Equal
gt, > Greater Than
lt, < Less Than ge, >= Greater than or Equal to
le, <= Less than or Equal to

Logical Expressions
and, && Logical AND
or, || Logical OR
not, ! Logical NOT

Some Valid Filters
tcp.port == 80 and ip.src == 192.168.2.1
http and frame[100-­199] contains “wireshark”

The Slice Operator

HTTP header fields. Here the header “location” indicates the REDIRECTION happens.
http.location[0:4]==”http”
Another example is:
http.content_type[0:4] == “text”

Host(s):
Values: net, port, host, portrange.
If no host(s) is specified, the “host” keyword is used.
For example, “src 136.159.5.20” is equivalent to “src host 136.159.5.20”.
Logical Operations:
Values: not, and, or.
Negation (“not”) has highest precedence. Alternation (“or”) and concatenation (“and”) have equal precedence and associate left to right.
For example,
“not tcp port 3128 and tcp port 80” is equivalent to “(not tcp port 3128) and tcp port 80”.
CAPTURE FILTERS(EXAMPLES)
tcp port 80
Displays packets with tcp protocol on port 80.
ip src host 136.159.5.20
Displays packets with source IP address equals to 136.159.5.20.
host 136.159.5.1
Displays packets with source or destination IP address equals to 136.159.5.1.
src portrange 2000-­2500
Displays packets with source UDP or TCP ports in the 2000-­2500 range.

CAPTURE FILTERS(EXAMPLES)

src host 136.159.5.20 and not dst host 136.159.5.1
Displays packets with source IP address equals to 136.159.5.20 and in the same time not with the destination IP address 136.159.5.1.

(src host 136.159.5.1 or src host 136.159.5.3) and tcp dst portrange 200-­10000 and dst host 136.159.5.2
Displays packets with source IP address 136.159.5.1 or source address136.159.5.3, the result is then concatenated with packets having destination TCP portrange from 200 to 10000 and destination IP address136.159.5.2

DISPLAY FILTERS

String1, String2 (Optional settings):
Sub protocol categories inside the protocol. To find them, look for a protocol and then click on the “+” character.

Example
http.request.method==get or tcp.port== 80
DISPLAY FILTERS(EXAMPLES)

ip.addr==136.159.5.20
Displays the packets with source or destination IP address equals to 136.159.5.20 .

http.request.version==”HTTP/1.1″
Display http Version

tcp.dstport== 25

tcp.flags
Display packets having a TCP flags

tcp.flags.syn== 0x02
Display packets with a TCP SYN flag. (Synchronize sequence numbers. Only the first packet sent from each end should have this flag set)