9/13/2016

wiresharkfilter\\The\Wireshark\Network\Analyzer\2.0.0

NAME
wiresharkfilterWiresharkfiltersyntaxandreference

SYNOPSIS
wireshark[otheroptions][R"filterexpression"]
tshark[otheroptions][R"filterexpression"]

DESCRIPTION
WiresharkandTSharkshareapowerfulfilterenginethathelpsremovethenoisefromapacket
traceandletsyouseeonlythepacketsthatinterestyou.Ifapacketmeetstherequirements
expressedinyourfilter,thenitisdisplayedinthelistofpackets.Displayfiltersletyoucomparethe
fieldswithinaprotocolagainstaspecificvalue,comparefieldsagainstfields,andcheckthe
existenceofspecifiedfieldsorprotocols.
Filtersarealsousedbyotherfeaturessuchasstatisticsgenerationandpacketlistcolorization(the
latterisonlyavailabletoWireshark).Thismanualpagedescribestheirsyntax.Acomprehensive
referenceoffilterfieldscanbefoundwithinWiresharkandinthedisplayfilterreferenceat
https://www.wireshark.org/docs/dfref/.

FILTERSYNTAX
Checkwhetherafieldorprotocolexists
Thesimplestfilterallowsyoutocheckfortheexistenceofaprotocolorfield.Ifyouwanttoseeall
packetswhichcontaintheIPprotocol,thefilterwouldbe"ip"(withoutthequotationmarks).Tosee
allpacketsthatcontainaTokenRingRIFfield,use"tr.rif".
Thinkofaprotocolorfieldinafilterasimplicitlyhavingthe"exists"operator.

Comparisonoperators
Fieldscanalsobecomparedagainstvalues.Thecomparisonoperatorscanbeexpressedeither
throughEnglishlikeabbreviationsorthroughClikesymbols:
eq,==Equal
ne,!=NotEqual
gt,>GreaterThan
lt,<LessThan
ge,>=GreaterthanorEqualto
le,<=LessthanorEqualto

Searchandmatchoperators
AdditionaloperatorsexistexpressedonlyinEnglish,notClikesyntax:
containsDoestheprotocol,fieldorslicecontainavalue
matchesDoestheprotocolortextstringmatchthegivenPerl
regularexpression

The"contains"operatorallowsafiltertosearchforasequenceofcharacters,expressedasastring
(quotedorunquoted),orbytes,expressedasabytearray.Forexample,tosearchforagivenHTTP
URLinacapture,thefollowingfiltercanbeused:
httpcontains"https://www.wireshark.org"
https://www.wireshark.org/docs/manpages/wiresharkfilter.html

1/7

9/13/2016

wiresharkfilter\\The\Wireshark\Network\Analyzer\2.0.0

The"contains"operatorcannotbeusedonatomicfields,suchasnumbersorIPaddresses.
The"matches"operatorallowsafiltertoapplytoaspecifiedPerlcompatibleregularexpression
(PCRE).The"matches"operatorisonlyimplementedforprotocolsandforprotocolfieldswitha
textstringrepresentation.Forexample,tosearchforagivenWAPWSPUserAgent,youcanwrite:
wsp.user_agentmatches"(?i)cldc"

ThisexampleshowsaninterestingPCREfeature:patternmatchoptionshavetobespecifiedwith
the(?option)construct.Forinstance,(?i)performsacaseinsensitivepatternmatch.More
informationonPCREcanbefoundinthepcrepattern(3)manpage(PerlRegularExpressionsare
explainedinhttp://perldoc.perl.org/perlre.html).

Functions
Thefilterlanguagehasthefollowingfunctions:
upper(stringfield)convertsastringfieldtouppercase
lower(stringfield)convertsastringfieldtolowercase

upper()andlower()areusefulforperformingcaseinsensitivestringcomparisons.Forexample:
upper(ncp.nds_stream_name)contains"MACRO"
lower(mount.dump.hostname)=="angel"

Protocolfieldtypes
Eachprotocolfieldistyped.Thetypesare:
ASN.1objectidentifier
Boolean
Characterstring
CompiledPerlCompatibleRegularExpression(GRegex)object
Dateandtime
EthernetorotherMACaddress
EUI64address
Floatingpoint(doubleprecision)
Floatingpoint(singleprecision)
Framenumber
GloballyUniqueIdentifier
IPv4address
IPv6address
IPXnetworknumber
Label
Protocol
Sequenceofbytes
Signedinteger,1,2,3,4,or8bytes
Timeoffset
Unsignedinteger,1,2,3,4,or8bytes

Anintegermaybeexpressedindecimal,octal,orhexadecimalnotation.Thefollowingthreedisplay
filtersareequivalent:
frame.pkt_len>10
frame.pkt_len>012
frame.pkt_len>0xa

Booleanvaluesareeithertrueorfalse.InadisplayfilterexpressiontestingthevalueofaBoolean
field,"true"isexpressedas1oranyothernonzerovalue,and"false"isexpressedaszero.For
example,atokenringpacket'ssourceroutefieldisBoolean.Tofindanysourceroutedpackets,a
displayfilterwouldbe:
tr.sr==1

https://www.wireshark.org/docs/manpages/wiresharkfilter.html

2/7

9/13/2016

wiresharkfilter\\The\Wireshark\Network\Analyzer\2.0.0

Nonsourceroutedpacketscanbefoundwith:
tr.sr==0

Ethernetaddressesandbytearraysarerepresentedbyhexdigits.Thehexdigitsmaybeseparatedby
colons,periods,orhyphens:
eth.dsteqff:ff:ff:ff:ff:ff
aim.data==0.1.0.d
fddi.src==aaaaaaaaaaaa
echo.data==7a

IPv4addressescanberepresentedineitherdotteddecimalnotationorbyusingthehostname:
ip.dsteqwww.mit.edu
ip.src==192.168.1.1

IPv4addressescanbecomparedwiththesamelogicalrelationsasnumbers:eq,ne,gt,ge,lt,andle.
TheIPv4addressisstoredinhostorder,soyoudonothavetoworryabouttheendiannessofan
IPv4addresswhenusingitinadisplayfilter.
ClasslessInterDomainRouting(CIDR)notationcanbeusedtotestifanIPv4addressisinacertain
subnet.Forexample,thisdisplayfilterwillfindallpacketsinthe129.111ClassBnetwork:
ip.addr==129.111.0.0/16

Remember,thenumberaftertheslashrepresentsthenumberofbitsusedtorepresentthenetwork.
CIDRnotationcanalsobeusedwithhostnames,asinthisexampleoffindingIPaddressesonthe
sameClassCnetworkas'sneezy':
ip.addreqsneezy/24

TheCIDRnotationcanonlybeusedonIPaddressesorhostnames,notinvariablenames.So,a
displayfilterlike"ip.src/24==ip.dst/24"isnotvalid(yet).
IPXnetworksarerepresentedbyunsigned32bitintegers.Mostlikelyyouwillbeusing
hexadecimalwhentestingIPXnetworkvalues:
ipx.src.net==0xc0a82c00

Stringsareenclosedindoublequotes:
http.request.method=="POST"

Insidedoublequotes,youmayuseabackslashtoembedadoublequoteoranarbitrarybyte
representedineitheroctalorhexadecimal.
browser.comment=="Anembedded\"doublequote"

Useofhexadecimaltolookfor"HEAD":
http.request.method=="\x48EAD"

Useofoctaltolookfor"HEAD":
http.request.method=="\110EAD"

Thismeansthatyoumustescapebackslasheswithbackslashesinsidedoublequotes.
smb.pathcontains"\\\\SERVER\\SHARE"

looksfor\\SERVER\SHAREin"smb.path".
https://www.wireshark.org/docs/manpages/wiresharkfilter.html

3/7

9/13/2016

wiresharkfilter\\The\Wireshark\Network\Analyzer\2.0.0

Thesliceoperator
Youcantakeasliceofafieldifthefieldisatextstringorabytearray.Forexample,youcanfilter
onthevendorportionofanethernetaddress(thefirstthreebytes)likethis:
eth.src[0:3]==00:00:83

Anotherexampleis:
http.content_type[0:4]=="text"

Youcanusethesliceoperatoronaprotocolname,too.The"frame"protocolcanbeuseful,
encompassingallthedatacapturedbyWiresharkorTShark.
token[0:5]ne0.0.0.1.1
llc[0]eqaa
frame[100199]contains"wireshark"

Thefollowingsyntaxgovernsslices:
[i:j]i=start_offset,j=length
[ij]i=start_offset,j=end_offset,inclusive.
[i]i=start_offset,length=1
[:j]start_offset=0,length=j
[i:]start_offset=i,end_offset=end_of_field

Offsetscanbenegative,inwhichcasetheyindicatetheoffsetfromtheendofthefield.Thelast
byteofthefieldisatoffset1,thelastbutonebyteisatoffset2,andsoon.Here'showtocheckthe
lastfourbytesofaframe:
frame[4:4]==0.1.2.3

or
frame[4:]==0.1.2.3

Asliceisalwayscomparedagainsteitherastringorabytesequence.Asaspecialcase,whenthe
sliceisonly1bytewide,youcancompareitagainstahexintegerthat0xfforless(whichmeansit
fitsinsideonebyte).Thisisnotallowedforbytesequencesgreaterthanonebyte,becausethenone
wouldneedtospecifytheendiannessofthemultibyteinteger.Also,thisisnotallowedfordecimal
numbers,sincetheywouldbeconfusedwithhexnumbersthatarealreadyallowedasbytestrings.
Neverthelss,singlebytehexintegerscanbeconvienent:
frame[4]==0xff

Slicescanbecombined.Youcanconcatenatethemusingthecommaoperator:
ftp[1,35,9:]==01:03:04:05:09:0a:0b

Thisconcatenatesoffset1,offsets35,andoffset9totheendoftheftpdata.

Themembershipoperator
Afieldmaybecheckedformatchesagainstasetofvaluessimplywiththemembershipoperator.
Forinstance,youmayfindtrafficoncommonHTTP/HTTPSportswiththefollowingfilter:
tcp.portin{804438080}

asopposedtothemoreverbose:
tcp.port==80ortcp.port==443ortcp.port==8080
https://www.wireshark.org/docs/manpages/wiresharkfilter.html

4/7

9/13/2016

wiresharkfilter\\The\Wireshark\Network\Analyzer\2.0.0

Typeconversions
Ifafieldisatextstringorabytearray,itcanbeexpressedinwhicheverwayismostconvenient.
So,forinstance,thefollowingfiltersareequivalent:
http.request.method=="GET"
http.request.method==47.45.54

Arangecanalsobeexpressedineitherway:
frame[60:2]gt50.51
frame[60:2]gt"PQ"

Bitfieldoperations
Itisalsopossibletodefinetestswithbitfieldoperations.Currentlythefollowingbitfieldoperation
issupported:
bitwise_and,&BitwiseAND

ThebitwiseANDoperationallowstestingtoseeifoneormorebitsareset.BitwiseANDoperates
onintegerprotocolfieldsandslices.
WhentestingforTCPSYNpackets,youcanwrite:
tcp.flags&0x02

Thatexpressionwillmatchallpacketsthatcontaina"tcp.flags"fieldwiththe0x02bit,i.e.theSYN
bit,set.
Similarly,filteringforallWSPGETandextendedGETmethodsisachievedwith:
wsp.pdu_type&0x40

Whenusingslices,thebitmaskmustbespecifiedasabytestring,anditmusthavethesamenumber
ofbytesasthesliceitself,asin:
ip[42:2]&40:ff

Logicalexpressions
Testscanbecombinedusinglogicalexpressions.ThesetooareexpressibleinClikesyntaxorwith
Englishlikeabbreviations:
and,&&LogicalAND
or,||LogicalOR
not,!LogicalNOT

Expressionscanbegroupedbyparenthesesaswell.Thefollowingareallvaliddisplayfilter
expressions:
tcp.port==80andip.src==192.168.2.1
notllc
httpandframe[100199]contains"wireshark"
(ipx.src.net==0xbad&&ipx.src.node==0.0.0.0.0.1)||ip

Rememberthatwheneveraprotocolorfieldnameoccursinanexpression,the"exists"operatoris
implicitlycalled.The"exists"operatorhasthehighestpriority.Thismeansthatthefirstfilter
expressionmustbereadas"showmethepacketsforwhichtcp.portexistsandequals80,andip.src
existsandequals192.168.2.1".Thesecondfilterexpressionmeans"showmethepacketswherenot
https://www.wireshark.org/docs/manpages/wiresharkfilter.html

5/7

9/13/2016

wiresharkfilter\\The\Wireshark\Network\Analyzer\2.0.0

(llcexists)",orinotherwords"wherellcdoesnotexist"andhencewillmatchallpacketsthatdonot
containthellcprotocol.Thethirdfilterexpressionincludestheconstraintthatoffset199inthe
frameexists,inotherwordsthelengthoftheframeisatleast200.
Aspecialcaveatmustbegivenregardingfieldsthatoccurmorethanonceperpacket."ip.addr"
occurstwiceperIPpacket,onceforthesourceaddress,andonceforthedestinationaddress.
Likewise,"tr.rif.ring"fieldscanoccurmorethanonceperpacket.Thefollowingtwoexpressionsare
notequivalent:
ip.addrne192.168.4.1
notip.addreq192.168.4.1

Thefirstfiltersays"showmepacketswhereanip.addrexiststhatdoesnotequal192.168.4.1".That
is,aslongasoneip.addrinthepacketdoesnotequal192.168.4.1,thepacketpassesthedisplay
filter.Theotherip.addrcouldequal192.168.4.1andthepacketwouldstillbedisplayed.Thesecond
filtersays"don'tshowmeanypacketsthathaveanip.addrfieldequalto192.168.4.1".Ifoneip.addr
is192.168.4.1,thepacketdoesnotpass.Ifneitherip.addrfieldis192.168.4.1,thenthepacketis
displayed.
Itiseasytothinkofthe'ne'and'eq'operatorsashavinganimplicit"exists"modifierwhendealing
withmultiplyrecurringfields."ip.addrne192.168.4.1"canbethoughtofas"thereexistsanip.addr
thatdoesnotequal192.168.4.1"."notip.addreq192.168.4.1"canbethoughtofas"theredoesnot
existanip.addrequalto192.168.4.1".
Becarefulwithmultiplyrecurringfieldstheycanbeconfusing.
Caremustalsobetakenwhenusingthedisplayfiltertoremovenoisefromthepackettrace.If,for
example,youwanttofilteroutallIPmulticastpacketstoaddress224.1.2.3,thenusing:
ip.dstne224.1.2.3

maybetoorestrictive.Filteringwith"ip.dst"selectsonlythoseIPpacketsthatsatisfytherule.Any
otherpackets,includingallnonIPpackets,willnotbedisplayed.TodisplaythenonIPpacketsas
well,youcanuseoneofthefollowingtwoexpressions:
notiporip.dstne224.1.2.3
notip.addreq224.1.2.3

Thefirstfilteruses"notip"toincludeallnonIPpacketsandthenlets"ip.dstne224.1.2.3"filterout
theunwantedIPpackets.Thesecondfilterhasalreadybeenexplainedabovewherefilteringwith
multiplyoccurringfieldswasdiscussed.

FILTERFIELDREFERENCE
Theentirelistofdisplayfiltersistoolargetolisthere.Youcancanfindreferencesandexamplesat
thefollowinglocations:
TheonlineDisplayFilterReference:https://www.wireshark.org/docs/dfref/
Help:SupportedProtocolsinWireshark
tsharkGfieldsonthecommandline

TheWiresharkwiki:https://wiki.wireshark.org/DisplayFilters

NOTES

https://www.wireshark.org/docs/manpages/wiresharkfilter.html

6/7

9/13/2016

wiresharkfilter\\The\Wireshark\Network\Analyzer\2.0.0

ThewiresharkfiltersmanpageispartoftheWiresharkdistribution.Thelatestversionof
Wiresharkcanbefoundathttps://www.wireshark.org.
Regularexpressionsinthe"matches"operatorareprovidedbyGRegexinGLib.See
http://developer.gnome.org/glib/2.32/glibregexsyntax.html/orhttp://www.pcre.org/formore
information.
Thismanpagedoesnotdescribethecapturefiltersyntax,whichisdifferent.Seethemanualpageof
pcapfilter(7)or,ifthatdoesn'texist,tcpdump(8),or,ifthatdoesn'texist,
https://wiki.wireshark.org/CaptureFiltersforadescriptionofcapturefilters.

SEEALSO
wireshark(1),tshark(1),editcap(1),pcap(3),pcapfilter(7)ortcpdump(8)ifitdoesn'texist.

AUTHORS
SeethelistofauthorsintheWiresharkmanpageforalistofauthorsofthatcode.

https://www.wireshark.org/docs/manpages/wiresharkfilter.html

7/7