Building display filter expressions | Lucent Technologies Ethereal

Working with captured packets

6.3. Building display filter expressions

Ethereal provides a simple but powerful display filter language that you can build quite complex fil- ter expressions with. You can compare values in packets as well as combine expressions into more specific expressions. The following sections provide more information on doing this.

Tip!

You will find a lot of Display Filter examples at the Ethereal Wiki Display Filter page at http://wiki.ethereal.com/DisplayFilters.

6.3.1. Display filter fields

Every field in the packet details pane can be used as a filter string, this will result in showing only the packets where this field exists. For example: the filter string: tcp will show all packets contain- ing the tcp protocol.

There is a complete list of all filter fields available through the menu item "Help/Supported Proto- cols" in the page "Display Filter Fields" of the upcoming dialog.

XXX - add some more info here and a link to the statusbar info.

6.3.2.Comparing values

You can build display filters that compare values using a number of different comparison operators. They are shown in Table 6.2, “Display Filter comparison operators”.

Tip!

You can use English and C-like terms in the same way, they can even be mixed in a filter string!

Table 6.2. Display Filter comparison operators

English

C-like

Description and example

eq

==Equal

ip.addr==10.0.0.5

ne

!=	Not equal
	ip.addr!=10.0.0.5

gt

>Greater than

frame.pkt_len > 10

lt

<Less than

105

Image 119

Lucent Technologies Ethereal manual Building display filter expressions, Display filter fields, Comparing values

Contents

V2.0.2 16376 for Ethereal Ethereal Users Guide Ethereal Users Guide V2.0.2 16376 for Ethereal Page Table of Contents Page Page Page Foreword Preface Who should read this document? Acknowledgements About this document Where to get the latest copy of this document? Providing feedback about this document Preface Xiv Some intended purposes What is Ethereal?Features Introduction Open Source Software Export files for many other capture programsMany protocol decoders What Ethereal is not Linux Platforms Ethereal runs onUnix Microsoft Windows Where to get Ethereal? Rose by any other name Brief history of Ethereal Development and maintenance of Ethereal Mailing Lists Reporting problems and getting helpFAQ Website Wiki Reporting Crashes on UNIX/Linux platforms Reporting Problems Reporting Crashes on Windows platforms Introduction Introduction Building and Installing Ethereal Download all required files Obtaining the source and binary distributions Example 2.1. Building GTK+ from source Before you build Ethereal under Unix Example 2.2. Building and installing libpcap Example 2.5. Installing debs under Debian Unix Building Ethereal from source underPage Installing from debs under Debian Installing the binaries under UnixInstalling from rpms under RedHat and alike Troubleshooting during the install on Unix Building from source under Windows Install Ethereal Installing Ethereal under Windows Install WinPcap Uninstall Ethereal Update EtherealUpdate WinPcap Uninstall WinPcap Building and Installing Ethereal User Interface Start Ethereal Main window Main window User Interface Current program state and the captured data Menu Merge File menuMenu Item Accelerator Description Open Open Recent Files Menu Item Accelerator Description SaveSave As File Set List Ted Packet Bytes Menu Item Accelerator Description ExportPdml file Export Selec Edit menu Marking packets for details User Interface View Menu View menu items View menu Beginning Fields Time of Day, Date and Time of DaySeconds Since Beginning of Capture and Seconds Since Previous Packet are mutually exclusive Resize All Menu Item Accelerator Description ZoomZoom Out Normal Size Go menu Menu Item Accelerator Description Last Packet Capture menu Saving filters Analyze Menu Analyze menu items Analyze menu TCP Follow Statistics menu items Statistics menu VoIP Calls 225Message Types 10. The Help Menu Help menu items Help menuPage 11. The Main toolbar Main toolbar items Main toolbar Packet Go To Last Pack Go BackGo Forward First Tion 9.3, Packet colorization 12. The Filter toolbar Filter toolbar 13. The Packet List pane Packet List pane 14. The Packet Details pane Packet Details pane 15. The Packet Bytes pane Packet Bytes pane 17. The initial Statusbar Statusbar User Interface Capturing Live Network Data Prerequisites Capture Options dialog box Start Capturing Prepare Capture Interfaces dialog boxPackets/s Interface Capture Options dialog boxCapture frame Capture packets in promiscuous IP addressLink-layer header type Buffer size n megabytes Stop Capture... frame Capture Files frame Buttons Name Resolution frameDisplay Options frame Capture files and file modes Capture file mode selected by capture options Multiple files, ring buffer Multiple files, continuous Link-layer header type Ether srcdst host ehost Filtering while capturingExample 4.2. Capturing all telnet traffic not from Srcdst host host Tcpudp srcdst port port Gateway host hostSrcdst net net mask Masklen len Stop the running capture While a Capture is running Restart a running capture Using the toolbar item Capturing Live Network Data File Input / Output and Printing Open Capture File dialog box Open capture files Input File Formats Page Save Capture File As dialog box Saving captured packets Tip Output File Formats Merge with Capture File dialog box Merging capture filesPage List Files dialog box File Sets Export as PostScript File dialog box Exporting dataExport as Plain Text File dialog box Export as Psml File dialog box Export as CSV Comma Seperated Values File dialog box Export as Psml File dialog box Export as Pdml File dialog box Export Selected Packet Bytes dialog box Export selected packet bytes dialog boxPage Printer Printing packetsPrint dialog box Lpr -Pmypostscript 10. The Packet Range frame Packet Range frame 11. The Packet Format frame Packet Format frame File Input / Output and Printing Viewing packets you have captured Working with captured packets Function overview of the pop-up menus Copy Lis Byt Menu Description TailDecode As New Window Resolve name Follow TCP Stream Mark Packet toggle Go to Corresponding Packet Filter Field ReferenceProtocol Properties Export Selected Packet Bytes Filtering on the TCP protocol Filtering packets while viewingPage Display Filter comparison operators Building display filter expressionsDisplay filter fields Comparing values Display Filter Field Types Combining expressions Display Filter Logical Operations Common mistake Filter Expression dialog box Filter Expression dialog box Range CancelValue Predefined values Capture Filters and Display Filters dialog boxes Defining and saving filters Filter name NewDelete Filter Hex Value Finding packetsFind Packet dialog box Display filter Down Find Next commandFind Previous command Go to a specific packet Marking packets Packet time referencing Time display formats and time referencesPage Working with captured packets 119 Advanced Features Follow TCP stream dialog box Following TCP streamsPage How Ethereal handles it What is it?Reassembling is disabled by default Packet Reassembling IP name resolution network layer Name ResolutionEthernet name resolution MAC layer TCP/UDP port name resolution transport layer IPX name resolution network layer Advanced Features 126 Statistics Summary window Summary windowPage Protocol Hierarchy window Protocol Hierarchy windowPage Endpoints window What is an Endpoint?Endpoints Protocol specific Endpoint List windows Protocol specific Conversation List windows What is a Conversation?Conversations Conversations window Axis IO Graphs windowGraphs Page Fibre Channel 225 RAS Service Response TimeService Response Time DCE-RPC window DCE-RPC Statistic for ... window Protocol specific statistics windows Statistics 140 Customizing Ethereal Filesize ue Start Ethereal from the command lineExample 9.1. Help information available from Ethereal Duration ue Only DurationueFilesizeue Capture buffer size Win32 Ethereal -o mgcp.displaydissecttreeTRUE Preference/recent settingsFont Name resolving flags Statistics-string Time stamp formatSavefile Capture link type Coloring Rules dialog box Packet colorization Choose color dialog box Using color filters with Ethereal Control Protocol dissection Enabled Protocols dialog boxPage Decode As dialog box User Specified Decodes Decode As Show dialog box Show User Specified Decodes Preferences dialog box Preferences Customizing Ethereal 154 Customizing Ethereal 155 Table A.1. Configuration files and folders overview Appendix A. Configuration and other Files and Folders Preferences/ethereal.conf Windows folders Configuration files and folders overview. If an address is Disabledprotos Plugins folder Windows foldersWindows profiles 95/98/ME 98/ME with enabled user proWindows NT/2000/XP roaming profiles Windows temporary folder Configuration and other Files Folders 161 Appendix B. Protocols and Protocol Fields Appendix C. Related command line tools Tcpdump Capturing with tcpdump for viewing with Ethereal Tethereal Terminal-based Ethereal Example C.1. Help information available from capinfos Capinfos Print information about capture files Example C.2. Help information available from editcap Editcap Edit capture files Related command line tools Snaplen Time adjustmentEncap type Capture type Example C.3. Help information available from mergecap Mergecap Merging multiple capture files into one 171 Example C.4. Simple example of using mergecap Example C.5. Help information available for text2pcap Text2pcap Converting Ascii hexdumps to network captures Hexoct Filename Srcport destport L3pid Idl2eth Creating dissectors from Corba IDL files Why do this?How to use idl2eth Prerequisites to using idl2eth Todo Limitations Related command line tools 179 GNU General Public License Appendix D. This Documents License GPL 181 182 183 184 185