manpagez: man pages & more
man wireshark-filter(4)
Home | html | info | man
wireshark-filter(4)     The Wireshark Network Analyzer     wireshark-filter(4)




NAME

       wireshark-filter - Wireshark display filter syntax and reference


SYNOPSIS

       wireshark [other options]
       [ -Y "display filter expression" | b<--display-filter "display filter
       expression" ]>

       tshark [other options] [ -Y "display filter expression" ]


DESCRIPTION

       Wireshark and TShark share a powerful filter engine that helps remove
       the noise from a packet trace and lets you see only the packets that
       interest you.  If a packet meets the requirements expressed in your
       filter, then it is displayed in the list of packets.  Display filters
       let you compare the fields within a protocol against a specific value,
       compare fields against fields, and check the existence of specified
       fields or protocols.

       Filters are also used by other features such as statistics generation
       and packet list colorization (the latter is only available to
       Wireshark). This manual page describes their syntax. A comprehensive
       reference of filter fields can be found within Wireshark and in the
       display filter reference at <https://www.wireshark.org/docs/dfref/>.


FILTER SYNTAX

   Check whether a field or protocol exists
       The simplest filter allows you to check for the existence of a protocol
       or field.  If you want to see all packets which contain the IP
       protocol, the filter would be "ip" (without the quotation marks). To
       see all packets that contain a Token-Ring RIF field, use "tr.rif".

       Think of a protocol or field in a filter as implicitly having the
       "exists" operator.

   Comparison operators
       Fields can also be compared against values.  The comparison operators
       can be expressed either through English-like abbreviations or through
       C-like symbols:

           eq, ==    Equal
           ne, !=    Not Equal
           gt, >     Greater Than
           lt, <     Less Than
           ge, >=    Greater than or Equal to
           le, <=    Less than or Equal to

   Search and match operators
       Additional operators exist expressed only in English, not C-like
       syntax:

           contains     Does the protocol, field or slice contain a value
           matches, ~   Does the protocol or text string match the given
                        case-insensitive Perl-compatible regular expression

       The "contains" operator allows a filter to search for a sequence of
       characters, expressed as a string (quoted or unquoted), or bytes,
       expressed as a byte array, or for a single character, expressed as a
       C-style character constant.  For example, to search for a given HTTP
       URL in a capture, the following filter can be used:

           http contains "https://www.wireshark.org"

       The "contains" operator cannot be used on atomic fields, such as
       numbers or IP addresses.

       The "matches"  or "~" operator allows a filter to apply to a specified
       Perl-compatible regular expression (PCRE).  The "matches" operator is
       only implemented for protocols and for protocol fields with a text
       string representation. Matches are case-insensitive by default.  For
       example, to search for a given WAP WSP User-Agent, you can write:

           wsp.user_agent matches "cldc"

       This would match "cldc", "CLDC", "cLdC" or any other combination of
       upper and lower case letters.

       You can force case sensitivity using

           wsp.user_agent matches "(?-i)cldc"

       This is an example of PCRE's (?option) construct. (?-i) performs a
       case-sensitive pattern match but other options can be specified as
       well. More information can be found in the pcrepattern(3) man page at
       <https://perldoc.perl.org/perlre.html>).

   Functions
       The filter language has the following functions:

           upper(string-field) - converts a string field to uppercase
           lower(string-field) - converts a string field to lowercase
           len(field)          - returns the byte length of a string or bytes field
           count(field)        - returns the number of field occurrences in a frame
           string(field)       - converts a non-string field to string

       upper() and lower() are useful for performing case-insensitive string
       comparisons. For example:

           upper(ncp.nds_stream_name) contains "MACRO"
           lower(mount.dump.hostname) == "angel"

       string() converts a field value to a string, suitable for use with
       operators like "matches" or "contains". Integer fields are converted to
       their decimal representation.  It can be used with IP/Ethernet
       addresses (as well as others), but not with string or byte fields. For
       example:

           string(frame.number) matches "[13579]$"

       gives you all the odd packets.

   Protocol field types
       Each protocol field is typed. The types are:

           ASN.1 object identifier
           Boolean
           Character string
           Compiled Perl-Compatible Regular Expression (GRegex) object
           Date and time
           Ethernet or other MAC address
           EUI64 address
           Floating point (double-precision)
           Floating point (single-precision)
           Frame number
           Globally Unique Identifier
           IPv4 address
           IPv6 address
           IPX network number
           Label
           Protocol
           Sequence of bytes
           Signed integer, 1, 2, 3, 4, or 8 bytes
           Time offset
           Unsigned integer, 1, 2, 3, 4, or 8 bytes
           1-byte ASCII character

       An integer may be expressed in decimal, octal, or hexadecimal notation,
       or as a C-style character constant.  The following six display filters
       are equivalent:

           frame.pkt_len > 10
           frame.pkt_len > 012
           frame.pkt_len > 0xa
           frame.pkt_len > '\n'
           frame.pkt_len > '\xa'
           frame.pkt_len > '\012'

       Boolean values are either true or false.  In a display filter
       expression testing the value of a Boolean field, "true" is expressed as
       1 or any other non-zero value, and "false" is expressed as zero.  For
       example, a token-ring packet's source route field is Boolean.  To find
       any source-routed packets, a display filter would be:

           tr.sr == 1

       Non source-routed packets can be found with:

           tr.sr == 0

       Ethernet addresses and byte arrays are represented by hex digits.  The
       hex digits may be separated by colons, periods, or hyphens:

           eth.dst eq ff:ff:ff:ff:ff:ff
           aim.data == 0.1.0.d
           fddi.src == aa-aa-aa-aa-aa-aa
           echo.data == 7a

       IPv4 addresses can be represented in either dotted decimal notation or
       by using the hostname:

           ip.dst eq www.mit.edu
           ip.src == 192.168.1.1

       IPv4 addresses can be compared with the same logical relations as
       numbers: eq, ne, gt, ge, lt, and le.  The IPv4 address is stored in
       host order, so you do not have to worry about the endianness of an IPv4
       address when using it in a display filter.

       Classless InterDomain Routing (CIDR) notation can be used to test if an
       IPv4 address is in a certain subnet.  For example, this display filter
       will find all packets in the 129.111 Class-B network:

           ip.addr == 129.111.0.0/16

       Remember, the number after the slash represents the number of bits used
       to represent the network.  CIDR notation can also be used with
       hostnames, as in this example of finding IP addresses on the same Class
       C network as 'sneezy':

           ip.addr eq sneezy/24

       The CIDR notation can only be used on IP addresses or hostnames, not in
       variable names.  So, a display filter like "ip.src/24 == ip.dst/24" is
       not valid (yet).

       IPX networks are represented by unsigned 32-bit integers.  Most likely
       you will be using hexadecimal when testing IPX network values:

           ipx.src.net == 0xc0a82c00

       Strings are enclosed in double quotes:

           http.request.method == "POST"

       Inside double quotes, you may use a backslash to embed a double quote
       or an arbitrary byte represented in either octal or hexadecimal.

           browser.comment == "An embedded \" double-quote"

       Use of hexadecimal to look for "HEAD":

           http.request.method == "\x48EAD"

       Use of octal to look for "HEAD":

           http.request.method == "\110EAD"

       This means that you must escape backslashes with backslashes inside
       double quotes.

           smb.path contains "\\\\SERVER\\SHARE"

       looks for \\SERVER\SHARE in "smb.path".

   The slice operator
       You can take a slice of a field if the field is a text string or a byte
       array.  For example, you can filter on the vendor portion of an
       ethernet address (the first three bytes) like this:

           eth.src[0:3] == 00:00:83

       Another example is:

           http.content_type[0:4] == "text"

       You can use the slice operator on a protocol name, too.  The "frame"
       protocol can be useful, encompassing all the data captured by Wireshark
       or TShark.

           token[0:5] ne 0.0.0.1.1
           llc[0] eq aa
           frame[100-199] contains "wireshark"

       The following syntax governs slices:

           [i:j]    i = start_offset, j = length
           [i-j]    i = start_offset, j = end_offset, inclusive.
           [i]      i = start_offset, length = 1
           [:j]     start_offset = 0, length = j
           [i:]     start_offset = i, end_offset = end_of_field

       Offsets can be negative, in which case they indicate the offset from
       the end of the field.  The last byte of the field is at offset -1, the
       last but one byte is at offset -2, and so on.  Here's how to check the
       last four bytes of a frame:

           frame[-4:4] == 0.1.2.3

       or

           frame[-4:] == 0.1.2.3

       A slice is always compared against either a string or a byte sequence.
       As a special case, when the slice is only 1 byte wide, you can compare
       it against a hex integer that 0xff or less (which means it fits inside
       one byte). This is not allowed for byte sequences greater than one
       byte, because then one would need to specify the endianness of the
       multi-byte integer. Also, this is not allowed for decimal numbers,
       since they would be confused with hex numbers that are already allowed
       as byte strings. Nevertheless, single-byte hex integers can be
       convenient:

           frame[4] == 0xff

       Slices can be combined. You can concatenate them using the comma
       operator:

           ftp[1,3-5,9:] == 01:03:04:05:09:0a:0b

       This concatenates offset 1, offsets 3-5, and offset 9 to the end of the
       ftp data.

   The membership operator
       A field may be checked for matches against a set of values simply with
       the membership operator. For instance, you may find traffic on common
       HTTP/HTTPS ports with the following filter:

           tcp.port in {80 443 8080}

       as opposed to the more verbose:

           tcp.port == 80 or tcp.port == 443 or tcp.port == 8080

       To find HTTP requests using the HEAD or GET methods:

           http.request.method in {"HEAD" "GET"}

       The set of values can also contain ranges:

           tcp.port in {443 4430..4434}
           ip.addr in {10.0.0.5 .. 10.0.0.9 192.168.1.1..192.168.1.9}
           frame.time_delta in {10 .. 10.5}

   Type conversions
       If a field is a text string or a byte array, it can be expressed in
       whichever way is most convenient.

       So, for instance, the following filters are equivalent:

           http.request.method == "GET"
           http.request.method == 47.45.54

       A range can also be expressed in either way:

           frame[60:2] gt 50.51
           frame[60:2] gt "PQ"

   Bit field operations
       It is also possible to define tests with bit field operations.
       Currently the following bit field operation is supported:

           bitwise_and, &      Bitwise AND

       The bitwise AND operation allows testing to see if one or more bits are
       set.  Bitwise AND operates on integer protocol fields and slices.

       When testing for TCP SYN packets, you can write:

           tcp.flags & 0x02

       That expression will match all packets that contain a "tcp.flags" field
       with the 0x02 bit, i.e. the SYN bit, set.

       Similarly, filtering for all WSP GET and extended GET methods is
       achieved with:

           wsp.pdu_type & 0x40

       When using slices, the bit mask must be specified as a byte string, and
       it must have the same number of bytes as the slice itself, as in:

           ip[42:2] & 40:ff

   Logical expressions
       Tests can be combined using logical expressions.  These too are
       expressible in C-like syntax or with English-like abbreviations:

           and, &&   Logical AND
           or,  ||   Logical OR
           not, !    Logical NOT

       Expressions can be grouped by parentheses as well.  The following are
       all valid display filter expressions:

           tcp.port == 80 and ip.src == 192.168.2.1
           not llc
           http and frame[100-199] contains "wireshark"
           (ipx.src.net == 0xbad && ipx.src.node == 0.0.0.0.0.1) || ip

       Remember that whenever a protocol or field name occurs in an
       expression, the "exists" operator is implicitly called. The "exists"
       operator has the highest priority. This means that the first filter
       expression must be read as "show me the packets for which tcp.port
       exists and equals 80, and ip.src exists and equals 192.168.2.1". The
       second filter expression means "show me the packets where not (llc
       exists)", or in other words "where llc does not exist" and hence will
       match all packets that do not contain the llc protocol.  The third
       filter expression includes the constraint that offset 199 in the frame
       exists, in other words the length of the frame is at least 200.

       A special caveat must be given regarding fields that occur more than
       once per packet.  "ip.addr" occurs twice per IP packet, once for the
       source address, and once for the destination address.  Likewise,
       "tr.rif.ring" fields can occur more than once per packet.  The
       following two expressions are not equivalent:

               ip.addr ne 192.168.4.1
           not ip.addr eq 192.168.4.1

       The first filter says "show me packets where an ip.addr exists that
       does not equal 192.168.4.1".  That is, as long as one ip.addr in the
       packet does not equal 192.168.4.1, the packet passes the display
       filter.  The other ip.addr could equal 192.168.4.1 and the packet would
       still be displayed.  The second filter says "don't show me any packets
       that have an ip.addr field equal to 192.168.4.1".  If one ip.addr is
       192.168.4.1, the packet does not pass.  If neither ip.addr field is
       192.168.4.1, then the packet is displayed.

       It is easy to think of the 'ne' and 'eq' operators as having an
       implicit "exists" modifier when dealing with multiply-recurring fields.
       "ip.addr ne 192.168.4.1" can be thought of as "there exists an ip.addr
       that does not equal 192.168.4.1".  "not ip.addr eq 192.168.4.1" can be
       thought of as "there does not exist an ip.addr equal to 192.168.4.1".

       Be careful with multiply-recurring fields; they can be confusing.

       Care must also be taken when using the display filter to remove noise
       from the packet trace. If, for example, you want to filter out all IP
       multicast packets to address 224.1.2.3, then using:

           ip.dst ne 224.1.2.3

       may be too restrictive. Filtering with "ip.dst" selects only those IP
       packets that satisfy the rule. Any other packets, including all non-IP
       packets, will not be displayed. To display the non-IP packets as well,
       you can use one of the following two expressions:

           not ip or ip.dst ne 224.1.2.3
           not ip.addr eq 224.1.2.3

       The first filter uses "not ip" to include all non-IP packets and then
       lets "ip.dst ne 224.1.2.3" filter out the unwanted IP packets. The
       second filter has already been explained above where filtering with
       multiply occurring fields was discussed.


FILTER FIELD REFERENCE

       The entire list of display filters is too large to list here. You can
       can find references and examples at the following locations:

       o   The online Display Filter Reference:
           <https://www.wireshark.org/docs/dfref/>

       o   View:Internals:Supported Protocols in Wireshark

       o   "tshark -G fields" on the command line

       o   The Wireshark wiki:
           <https://gitlab.com/wireshark/wireshark/-/wikis/DisplayFilters>


NOTES

       The wireshark-filters manpage is part of the Wireshark distribution.
       The latest version of Wireshark can be found at
       <https://www.wireshark.org>.

       Regular expressions in the "matches" operator are provided by GRegex in
       GLib.  See
       <https://developer.gnome.org/glib/2.32/glib-regex-syntax.html> or
       <https://www.pcre.org/> for more information.

       This manpage does not describe the capture filter syntax, which is
       different. See the manual page of pcap-filter(7) or, if that doesn't
       exist, tcpdump(8), or, if that doesn't exist,
       <https://wiki.wireshark.org/CaptureFilters> for a description of
       capture filters.

       Display Filters are also described in the User's Guide:
       <https://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.html>


SEE ALSO

       wireshark(1), tshark(1), editcap(1), pcap(3), pcap-filter(7) or
       tcpdump(8) if it doesn't exist.


AUTHORS

       See the list of authors in the Wireshark man page for a list of authors
       of that code.



3.4.9                             2021-10-06               wireshark-filter(4)

wireshark 3.4.9 - Generated Tue Oct 19 18:40:24 CDT 2021
© manpagez.com 2000-2024
Individual documents may contain additional copyright information.