Building display filter expressions, Display filter fields, Comparing values – Lucent Technologies Ethereal User Manual
Page 119: Section 6.3
6.3. Building display filter expressions
Ethereal provides a simple but powerful display filter language that you can build quite complex fil-
ter expressions with. You can compare values in packets as well as combine expressions into more
specific expressions. The following sections provide more information on doing this.
Tip!
You will find a lot of Display Filter examples at the Ethereal Wiki Display Filter
page at
.
6.3.1. Display filter fields
Every field in the packet details pane can be used as a filter string, this will result in showing only
the packets where this field exists. For example: the filter string: tcp will show all packets contain-
ing the tcp protocol.
There is a complete list of all filter fields available through the menu item "Help/Supported Proto-
cols" in the page "Display Filter Fields" of the upcoming dialog.
XXX - add some more info here and a link to the statusbar info.
6.3.2. Comparing values
You can build display filters that compare values using a number of different comparison operators.
They are shown in
Table 6.2, “Display Filter comparison operators”
.
Tip!
You can use English and C-like terms in the same way, they can even be mixed in a
filter string!
Table 6.2. Display Filter comparison operators
English
C-like
Description and example
eq
==
Equal
ip.addr==10.0.0.5
ne
!=
Not equal
ip.addr!=10.0.0.5
gt
>
Greater than
frame.pkt_len > 10
lt
<
Less than
Working with captured packets
105