Filter
Top Products
English C-like Description and example
frame.pkt_len < 128
ge
>=
Greater than or equal to
frame.pkt_len ge 0x100
le
<=
Less than or equal to
frame.pkt_len <= 0x20
In addition, all protocol fields are typed. Table 6.3, “Display Filter Field Types” provides a list of
the types and example of how to express them.
Table 6.3. Display Filter Field Types
Type Example
Unsigned integer (8-bit, 16-bit, 24-bit, 32-bit)
You can express integers in decimal, octal, or hexa-
decimal. The following display filters are equivalent:
ip.len le 1500
ip.len le 02734
ip.len le 0x436
Signed integer (8-bit, 16-bit, 24-bit, 32-bit)
Boolean
A boolean field is present in the protocol decode only
if its value is true. For example, tcp.flags.syn is
present, and thus true, only if the SYN flag is present
in a TCP segment header.
Thus the filter expression tcp.flags.syn will select only
those packets for which this flag exists, that is, TCP
segments where the segment header contains the SYN
flag. Similarly, to find source-routed token ring pack-
ets, use a filter expression of tr.sr.
Ethernet address (6 bytes) eth.addr == ff:ff:ff:ff:ff:ff
IPv4 address ip.addr == 192.168.0.1
IPv6 address
IPX network number
String (text)
Double-precision floating point number
6.3.3. Combining expressions
You can combine filter expressions in Ethereal using the logical operators shown in Table 6.4,
“Display Filter Logical Operations”
Working with captured packets
106