Go to main content

man pages section 4: Device and Network Interfaces

Exit Print View

Updated: Wednesday, July 27, 2022
 
 

wireshark-filter (4)

Name

wireshark-filter - Wireshark display filter syntax and reference

Synopsis

wireshark [other options] [ -Y "display filter expression" |
--display-filter "display filter expression" ]

tshark [other options] [ -Y "display filter expression" |
--display-filter "display filter expression" ]

Description

WIRESHARK-FILTER(4)                                        WIRESHARK-FILTER(4)



NAME
       wireshark-filter - Wireshark display filter syntax and reference

SYNOPSIS
       wireshark [other options] [ -Y "display filter expression" |
       --display-filter "display filter expression" ]

       tshark [other options] [ -Y "display filter expression" |
       --display-filter "display filter expression" ]

DESCRIPTION
       Wireshark and TShark share a powerful filter engine that helps remove
       the noise from a packet trace and lets you see only the packets that
       interest you. If a packet meets the requirements expressed in your
       filter, then it is displayed in the list of packets. Display filters
       let you compare the fields within a protocol against a specific value,
       compare fields against fields, and check the existence of specified
       fields or protocols.

       Filters are also used by other features such as statistics generation
       and packet list colorization (the latter is only available to
       Wireshark). This manual page describes their syntax. A comprehensive
       reference of filter fields can be found within Wireshark and in the
       display filter reference at https://www.wireshark.org/docs/dfref/.

FILTER SYNTAX
   Check whether a field or protocol exists
       The simplest filter allows you to check for the existence of a protocol
       or field. If you want to see all packets which contain the IP protocol,
       the filter would be "ip" (without the quotation marks). To see all
       packets that contain a Token-Ring RIF field, use "tr.rif".

       Think of a protocol or field in a filter as implicitly having the
       "exists" operator.

   Comparison operators
       Fields can also be compared against values. The comparison operators
       can be expressed either through English-like abbreviations or through
       C-like symbols:

           eq, ==    Equal
           ne, !=    Not Equal
           gt, >     Greater Than
           lt, <     Less Than
           ge, >=    Greater than or Equal to
           le, <=    Less than or Equal to

   Search and match operators
       Additional operators exist expressed only in English, not C-like
       syntax:

           contains     Does the protocol, field or slice contain a value
           matches, ~   Does the protocol or text string match the given
                        case-insensitive Perl-compatible regular expression

       The "contains" operator allows a filter to search for a sequence of
       characters, expressed as a string (quoted or unquoted), or bytes,
       expressed as a byte array, or for a single character, expressed as a
       C-style character constant. For example, to search for a given HTTP URL
       in a capture, the following filter can be used:

           http contains "https://www.wireshark.org"

       The "contains" operator cannot be used on atomic fields, such as
       numbers or IP addresses.

       The "matches"  or "~" operator allows a filter to apply to a specified
       Perl-compatible regular expression (PCRE). The "matches" operator is
       only implemented for protocols and for protocol fields with a text
       string representation. Matches are case-insensitive by default. For
       example, to search for a given WAP WSP User-Agent, you can write:

           wsp.header.user_agent matches "cldc"

       This would match "cldc", "CLDC", "cLdC" or any other combination of
       upper and lower case letters.

       You can force case sensitivity using

           wsp.header.user_agent matches "(?-i)cldc"

       This is an example of PCRE's (?*option)* construct. (?-i) performs a
       case-sensitive pattern match but other options can be specified as
       well. More information can be found in the
       pcrepattern(3)|https://www.pcre.org/original/doc/html/pcrepattern.html
       man page.

   Functions
       The filter language has the following functions:

           upper(string-field) - converts a string field to uppercase
           lower(string-field) - converts a string field to lowercase
           len(field)          - returns the byte length of a string or bytes field
           count(field)        - returns the number of field occurrences in a frame
           string(field)       - converts a non-string field to string

       upper() and lower() are useful for performing case-insensitive string
       comparisons. For example:

           upper(ncp.nds_stream_name) contains "MACRO"
           lower(mount.dump.hostname) == "angel"

       string() converts a field value to a string, suitable for use with
       operators like "matches" or "contains". Integer fields are converted to
       their decimal representation. It can be used with IP/Ethernet addresses
       (as well as others), but not with string or byte fields. For example:

           string(frame.number) matches "[13579]$"

       gives you all the odd packets.

   Protocol field types
       Each protocol field is typed. The types are:

           ASN.1 object identifier
           Boolean
           Character string
           Compiled Perl-Compatible Regular Expression (GRegex) object
           Date and time
           Ethernet or other MAC address
           EUI64 address
           Floating point (double-precision)
           Floating point (single-precision)
           Frame number
           Globally Unique Identifier
           IPv4 address
           IPv6 address
           IPX network number
           Label
           Protocol
           Sequence of bytes
           Signed integer, 1, 2, 3, 4, or 8 bytes
           Time offset
           Unsigned integer, 1, 2, 3, 4, or 8 bytes
           1-byte ASCII character

       An integer may be expressed in decimal, octal, or hexadecimal notation,
       or as a C-style character constant. The following six display filters
       are equivalent:

           frame.len > 10
           frame.len > 012
           frame.len > 0xa
           frame.len > '\n'
           frame.len > '\x0a'
           frame.len > '\012'

       Boolean values are either true or false. In a display filter expression
       testing the value of a Boolean field, "true" is expressed as 1 or any
       other non-zero value, and "false" is expressed as zero. For example, a
       token-ring packet's source route field is Boolean. To find any
       source-routed packets, a display filter would be:

           tr.sr == 1

       Non source-routed packets can be found with:

           tr.sr == 0

       Ethernet addresses and byte arrays are represented by hex digits. The
       hex digits may be separated by colons, periods, or hyphens:

           eth.dst eq ff:ff:ff:ff:ff:ff
           aim.data == 0.1.0.d
           fddi.src == aa-aa-aa-aa-aa-aa
           echo.data == 7a

       IPv4 addresses can be represented in either dotted decimal notation or
       by using the hostname:

           ip.src == 192.168.1.1
           ip.dst eq www.mit.edu

       IPv4 addresses can be compared with the same logical relations as
       numbers: eq, ne, gt, ge, lt, and le. The IPv4 address is stored in host
       order, so you do not have to worry about the endianness of an IPv4
       address when using it in a display filter.

       Classless Inter-Domain Routing (CIDR) notation can be used to test if
       an IPv4 address is in a certain subnet. For example, this display
       filter will find all packets in the 129.111 network:

           ip.addr == 129.111.0.0/16

       Remember, the number after the slash represents the number of bits used
       to represent the network. CIDR notation can also be used with
       hostnames, as in this example of finding IP addresses on the same
       network as 'sneezy' (requires that 'sneezy' resolve to an IP address
       for filter to be valid):

           ip.addr eq sneezy/24

       The CIDR notation can only be used on IP addresses or hostnames, not in
       variable names. So, a display filter like "ip.src/24 == ip.dst/24" is
       not valid (yet).

       Transaction and other IDs are often represented by unsigned 16 or 32
       bit integers and formatted as a hexadecimal string with "0x" prefix:

           (dhcp.id == 0xfe089c15) || (ip.id == 0x0373)

       Strings are enclosed in double quotes:

           http.request.method == "POST"

       Inside double quotes, you may use a backslash to embed a double quote
       or an arbitrary byte represented in either octal or hexadecimal.

           browser.comment == "An embedded \" double-quote"

       Use of hexadecimal to look for "HEAD":

           http.request.method == "\x48EAD"

       Use of octal to look for "HEAD":

           http.request.method == "\110EAD"

       This means that you must escape backslashes with backslashes inside
       double quotes.

           smb.path contains "\\\\SERVER\\SHARE"

       looks for \\SERVER\SHARE in "smb.path". This may be more conveniently
       written as

           smb.path contains r"\\SERVER\SHARE"

       String literals prefixed with 'r' are called "raw strings". Such
       strings treat backslash as a literal character. Double quotes may still
       be escaped with backslash but note that backslashes are always
       preserved in the result.

   The slice operator
       You can take a slice of a field if the field is a text string or a byte
       array. For example, you can filter on the vendor portion of an ethernet
       address (the first three bytes) like this:

           eth.src[0:3] == 00:00:83

       Another example is:

           http.content_type[0:4] == "text"

       You can use the slice operator on a protocol name, too. The "frame"
       protocol can be useful, encompassing all the data captured by Wireshark
       or TShark.

           token[0:5] ne 0.0.0.1.1
           llc[0] eq aa
           frame[100-199] contains "wireshark"

       The following syntax governs slices:

           [i:j]    i = start_offset, j = length
           [i-j]    i = start_offset, j = end_offset, inclusive.
           [i]      i = start_offset, length = 1
           [:j]     start_offset = 0, length = j
           [i:]     start_offset = i, end_offset = end_of_field

       Offsets can be negative, in which case they indicate the offset from
       the end of the field. The last byte of the field is at offset -1, the
       last but one byte is at offset -2, and so on. Here's how to check the
       last four bytes of a frame:

           frame[-4:4] == 0.1.2.3

       or

           frame[-4:] == 0.1.2.3

       A slice is always compared against either a string or a byte sequence.
       As a special case, when the slice is only 1 byte wide, you can compare
       it against a hex integer that is 0xff or less (which means it fits
       inside one byte). This is not allowed for byte sequences greater than
       one byte, because then one would need to specify the endianness of the
       multi-byte integer. Also, this is not allowed for decimal numbers,
       since they would be confused with hex numbers that are already allowed
       as byte strings. Nevertheless, single-byte hex integers can be
       convenient:

           frame[4] == 0xff

       Slices can be combined. You can concatenate them using the comma
       operator:

           ftp[1,3-5,9:] == 01:03:04:05:09:0a:0b

       This concatenates offset 1, offsets 3-5, and offset 9 to the end of the
       ftp data.

   The membership operator
       A field may be checked for matches against a set of values simply with
       the membership operator. For instance, you may find traffic on common
       HTTP/HTTPS ports with the following filter:

           tcp.port in {80, 443, 8080}

       as opposed to the more verbose:

           tcp.port == 80 or tcp.port == 443 or tcp.port == 8080

       To find HTTP requests using the HEAD or GET methods:

           http.request.method in {"HEAD", "GET"}

       The set of values can also contain ranges:

           tcp.port in {443, 4430..4434}
           ip.addr in {10.0.0.5 .. 10.0.0.9, 192.168.1.1..192.168.1.9}
           frame.time_delta in {10 .. 10.5}

   Type conversions
       If a field is a text string or a byte array, it can be expressed in
       whichever way is most convenient.

       So, for instance, the following filters are equivalent:

           http.request.method == "GET"
           http.request.method == 47.45.54

       A range can also be expressed in either way:

           frame[60:2] gt 50.51
           frame[60:2] gt "PQ"

   Bit field operations
       It is also possible to define tests with bit field operations.
       Currently the following bit field operation is supported:

           bitwise_and, &        Bitwise AND

       The bitwise AND operation allows testing to see if one or more bits are
       set. Bitwise AND operates on integer protocol fields and slices.

       When testing for TCP SYN packets, you can write:

           tcp.flags & 0x02

       That expression will match all packets that contain a "tcp.flags" field
       with the 0x02 bit, i.e. the SYN bit, set.

       Similarly, filtering for all WSP GET and extended GET methods is
       achieved with:

           wsp.pdu_type & 0x40

       When using slices, the bit mask must be specified as a byte string, and
       it must have the same number of bytes as the slice itself, as in:

           ip[42:2] & 40:ff

   Logical expressions
       Tests can be combined using logical expressions. These too are
       expressible in C-like syntax or with English-like abbreviations:

           and, &&   Logical AND
           or,  ||   Logical OR
           not, ! Logical NOT

       Expressions can be grouped by parentheses as well. The following are
       all valid display filter expressions:

           tcp.port == 80 and ip.src == 192.168.2.1
           not llc
           http and frame[100-199] contains "wireshark"
           (ipx.src.net == 0xbad && ipx.src.node == 0.0.0.0.0.1) || ip

       Remember that whenever a protocol or field name occurs in an
       expression, the "exists" operator is implicitly called. The "exists"
       operator has the highest priority. This means that the first filter
       expression must be read as "show me the packets for which tcp.port
       exists and equals 80, and ip.src exists and equals 192.168.2.1". The
       second filter expression means "show me the packets where not exists
       llc", or in other words "where llc does not exist" and hence will match
       all packets that do not contain the llc protocol. The third filter
       expression includes the constraint that offset 199 in the frame exists,
       in other words the length of the frame is at least 200.

       Each comparison has an implicit exists test for any field value. Care
       must be taken when using the display filter to remove noise from the
       packet trace. If, for example, you want to filter out all IP multicast
       packets to address 224.1.2.3, then using:

           ip.dst ne 224.1.2.3

       may be too restrictive. This is the same as writing:

           ip.dst and ip.dst ne 224.1.2.3

       The filter selects only frames that have the "ip.dst" field. Any other
       frames, including all non-IP packets, will not be displayed. To display
       the non-IP packets as well, you can use one of the following two
       expressions:

           not ip.dst or ip.dst ne 224.1.2.3
           not ip.dst eq 224.1.2.3

       The first filter uses "not ip.dst" to include all non-IP packets and
       then lets "ip.dst ne 224.1.2.3" filter out the unwanted IP packets. The
       second filter also negates the implicit existance test and so is a
       shorter way to write the first.

FILTER FIELD REFERENCE
       The entire list of display filters is too large to list here. You can
       can find references and examples at the following locations:

       o   The online Display Filter Reference:
           https://www.wireshark.org/docs/dfref/

       o   View:Internals:Supported Protocols in Wireshark

       o   tshark -G fields on the command line

       o   The Wireshark wiki:
           https://gitlab.com/wireshark/wireshark/-/wikis/DisplayFilters


ATTRIBUTES
       See attributes(7) for descriptions of the following attributes:


       +---------------+---------------------------------------+
       |ATTRIBUTE TYPE |           ATTRIBUTE VALUE             |
       +---------------+---------------------------------------+
       |Availability   | diagnostic/wireshark/wireshark-common |
       +---------------+---------------------------------------+
       |Stability      | Uncommitted                           |
       +---------------+---------------------------------------+

NOTES
       The wireshark-filter(4) manpage is part of the Wireshark distribution.
       The latest version of Wireshark can be found at
       https://www.wireshark.org.

       Regular expressions in the "matches" operator are provided by GRegex in
       GLib. See
       https://developer-old.gnome.org/glib/stable/glib-regex-syntax.html or
       https://www.pcre.org/ for more information.

       This manpage does not describe the capture filter syntax, which is
       different. See the manual page of pcap-filter(7) or, if that doesn't
       exist, tcpdump(8), or, if that doesn't exist,
       https://gitlab.com/wireshark/wireshark/-/wikis/CaptureFilters for a
       description of capture filters.

       Display Filters are also described in the User's Guide:
       https://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.html

       Source code for open source software components in Oracle Solaris can
       be found at https://www.oracle.com/downloads/opensource/solaris-source-
       code-downloads.html.

       This software was built from source available at
       https://github.com/oracle/solaris-userland. The original community
       source was downloaded from  http://www.wireshark.org/download/src/all-
       versions/wireshark-3.6.6.tar.xz.

       Further information about this software can be found on the open source
       community website at http://www.wireshark.org/.

SEE ALSO
       wireshark(1), tshark(1), editcap(1), pcap(3), pcap-filter(7) or
       tcpdump(8) if it doesn't exist.

AUTHORS
       See the list of authors in the Wireshark man page for a list of authors
       of that code.



                                                           WIRESHARK-FILTER(4)