`Ethereal` User's Guide: V1.1 for Ethereal 0.8.19
<<< Previous	Using `Ethereal`	Next >>>

Filtering packets while viewing

Ethereal has two filtering languages: One used when capturing packets, and one used when displaying packets. In this section we explore that second type of filters: Display filters. The first one has already been dealt with in the Section called Filtering while capturing.

Display filters allow you to concentrate on the packets you are interested in. They allow you to select packets by:

Protocol
The presence of a field
The values of fields
A comparison between fields

To select packets based on protocol type, simply type the protocol you are interested in in the Filter: field on the bottom left hand corner of the Ethereal window and press enter to initiate the filter. Figure 17 shown an example of what happens when you type smb in the filter field.

	Note!
	All filter expressions are entered in lowercase. Also, don't forget to press enter after entering the filter expression.

Figure 17. Filtering on the SMB protocol

	Note!
	The packets selected in Figure 17 all show up as BROWSER packets but they are carried in SMB packets.

You can filter on any protocol that Ethereal understands. However, you can also filter on any field that a dissector adds to the tree view, but only if the dissector has added an abbreviation for the field. A list of such fields is available in the Ethereal in the Add Expression... dialog box. You can find more information on the Add Expression... dialog box in the Section called The Add Expression Dialog. You may also find a list of the fields in the appendix called Ethereal Display Filter Fields

For example, to narrow the packet list pane down to only those packets to or from 10.0.0.5, use ip.addr==10.0.0.5.

	Note!
	To remove the filter, click on the Reset button to the right of the filter field.

Building filter expressions

Ethereal provides a simple display filter language that you can build quite complex filter expressions with. You can compare values in packets as well as combine expressions into more specific expressions. The following sections provide more information on doing this.

Comparing values

You can build display filters that compare values using a number of different comparison operators. They are shown in Table 7.

Table 7. Display filter comparison operators

English

C-like

Description and example

==

Equal

ip.addr==10.0.0.5

!=

Not equal

ip.addr!=10.0.0.5

Greater than

frame.pkt_len > 10

Less than

frame.pkt_len < 128

>=

Greater than or equal to

frame.pkt_len ge 0x100

<=

Less than or equal to

frame.pkt_len <= 0x20

In addition, all protocol fields are typed. Table 8 provides a list of the types and example of how to express them.

Table 8. Field Types

Type

Example

Unsigned integer (8-bit, 16-bit, 24-bit, 32-bit)

You can express integers in decimal, octal, or hexadecimal. The following display filters are equivalent:

  ip.len le 1500
  ip.len le 02734
  ip.len le 0x436

Signed integer (8-bit, 16-bit, 24-bit, 32-bit)

Boolean

A boolean field is present in the protocol decode only if its value is true. For example, tcp.flags.syn is present, and thus true, only if the SYN flag is present in a TCP segment header.

Thus the filter expression tcp.flags.syn will select only those packets for which this flag exists, that is, TCP segments where the segment header contains the SYN flag. Similarly, to find source-routed token ring packets, use a filter expression of tr.sr.

Ethernet address (6 bytes)

IPv4 address

IPv6 address

IPX network number

String (text)

Double-precision floating point number

Combining expressions

You can combine filter expressions in Ethereal using the logical operators shown in Table 9

Table 9. Display Filter Logical Operations

English

C-like

Description and example

and

Logical AND

ip.addr==10.0.0.5 and tcp.flags.fin

Logical OR

ip.addr==10.0.0.5 or ip.addr==192.1.1.1

xor

Logical XOR

tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29

not

Logical NOT

not llc

[...]

Substring Operator

Ethereal will allow you to select subsequences of a sequence in rather elaborate ways. After a label you can place a pair of brackes [] containing a comma separated list of range specifiers.

eth.src[0:3] == 00:00:83

The example above uses the n:m format to specify a single range. In this case n is the beginning offset and m is the length of the range being specified.

eth.src[1-2] == 00:83

The example above uses the n-m format to specify a single range. In this case n is the beginning offset and m is the ending offset.

eth.src[:4] == 00:00:83:00

The example above uses the :m format, which takes everything from the beginning of a sequence to offset m. It is equivalent to 0:m

eth.src[4:] == 20:20

The example above uses the n: format, which takes everything from offset n to the end of the sequence.

eth.src[2] == 83

The example above uses the n format to specify a single range. In this case the element in the sequence at offset n is selected. This is equivalen to n:1.

eth.src[0:3,1-2,:4,4:,2] == 00:00:83:00:83:00:00:83:00:20:20:83

Ethereal will allow you to string together single ranges in a comma separated list to form compound ranges as shown above.

<<< Previous	Home	Next >>>
Reading capture files	Up	Packet colorization