Combining expressions – Lucent Technologies Ethereal User Manual

English

C-like

Description and example

frame.pkt_len < 128

ge

>=

Greater than or equal to

frame.pkt_len ge 0x100

le

<=

Less than or equal to

frame.pkt_len <= 0x20

In addition, all protocol fields are typed.

Table 6.3, “Display Filter Field Types”

provides a list of

the types and example of how to express them.

Table 6.3. Display Filter Field Types

Type

Example

Unsigned integer (8-bit, 16-bit, 24-bit, 32-bit)

You can express integers in decimal, octal, or hexa-
decimal. The following display filters are equivalent:

ip.len le 1500
ip.len le 02734
ip.len le 0x436

Signed integer (8-bit, 16-bit, 24-bit, 32-bit)

Boolean

A boolean field is present in the protocol decode only
if its value is true. For example, tcp.flags.syn is
present, and thus true, only if the SYN flag is present
in a TCP segment header.

Thus the filter expression tcp.flags.syn will select only
those packets for which this flag exists, that is, TCP
segments where the segment header contains the SYN
flag. Similarly, to find source-routed token ring pack-
ets, use a filter expression of tr.sr.

Ethernet address (6 bytes)

eth.addr == ff:ff:ff:ff:ff:ff

IPv4 address

ip.addr == 192.168.0.1

IPv6 address

IPX network number

String (text)

Double-precision floating point number

6.3.3. Combining expressions

You can combine filter expressions in Ethereal using the logical operators shown in

Table 6.4,

“Display Filter Logical Operations”

Working with captured packets

106