DisplayFilters

Edit | View | Diffs | Info | Raw | Print

Recent Pages:

User

Login

Pages

FrontPage
RecentChanges
FindPage
HelpContents

Actions

Attach File
Check Spelling
Delete Cache
Like Pages
Local Site Map
Print View
Raw Text

DisplayFilters

Ethereal uses display filters for general packet filtering while viewing and for its ColoringRules.

The basics and the syntax of the display filters are described in the [WWW]User's Guide.

The master list of display filter protocol fields can be found in the [WWW]display filter reference.

If you need a display filter for a specific protocol, have a look for it at the ProtocolReference.

Examples

Show only SMTP (port 25) and ICMP traffic: 

  •  tcp.port eq 25 or icmp

TCP buffer full -- Source is instructing Destination to stop sending data 

  •  tcp.window_size == 0 && tcp.flags.reset != 1

Filter on Windows -- Filter out noise, while watching Windows Client - DC exchanges 

  •  smb || nbns || dcerpc || nbss || dns

Sasser worm: --What sasser really did-- 

  •   ls_ads.opnum==0x09

Match packets containing the (arbitrary) 3-byte sequence 0x81, 0x60, 0x03 at the beginning of the UDP payload, skipping the 8-byte UDP header. Note that the values for the byte sequence implicitly are in hexadecimal only. (Useful for matching homegrown packet protocols.) 

  •   udp[8:3]==81:60:03

The "slice" feature is also useful to filter on the vendor identifier part (OUI) of the MAC address, see the Ethernet page for details. Thus you may restrict the display to only packets from a specific device manufacturer. E.g. for DELL machines only: 

  •   eth.addr[0:3]==00:06:5B

[ Feel free to contribute more ]

Gotchas

Some filter fields match against multiple protocol fields. For example, "ip.addr" matches against both the IP source and destination addresses in the IP header. The same is true for "tcp.port", "udp.port", "eth.addr", and others. It's important to note that 

  •  ip.addr == 10.43.54.65

    is equivalent to 

     ip.src == 10.43.54.65 or ip.dst == 10.43.54.65

This can be counterintuitive in some cases. Suppose we want to filter out any traffic to or from 10.43.54.65. We might try the following: 

  •  ip.addr != 10.43.54.65

    which is equivalent to 

     ip.src != 10.43.54.65 or ip.dst != 10.43.54.65

This translates to "pass all traffic except for traffic with a source IPv4 address of 10.43.54.65 and a destination IPv4 address of 10.43.54.65", which isn't what we wanted.

Instead we need to negate the expression, like so: 

  •  ! ( ip.addr == 10.43.54.65 )

    which is equivalent to 

     ! (ip.src == 10.43.54.65 or ip.dst == 10.43.54.65)

This translates to "don't pass any traffic except with a source IPv4 address of 10.43.54.65 or a destination IPv4 address of 10.43.54.65", which is what we wanted.

See Also

CaptureFilters