Combining Expressions
Display Filter Logical Operations:
The following table contains the full list of logical operators:
Sr. No. |
English |
C-like |
Description and Example |
---|---|---|---|
1. |
and |
&& |
Logical AND E.g., ip.src==20.0.0.7 and tcp.flags.fin |
2. |
or |
|| |
Logical OR E.g., ip.src==20.0.0.7 or ip.src==192.1.8.1 |
3. |
xor |
^^ |
Logical XOR E.g., tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29 |
4. |
not |
! |
Logical NOT E.g., not llc |
5. |
[…] |
|
Subsequence |
6. |
in |
|
Set Membership E.g., http.request.method in {“HEAD”, “GET”}. |
Miscellaneous Operators:
The following table contains the list of miscellaneous operators:
Sr. No. | Operator | Description with Example |
---|---|---|
1. |
Slice Operator |
You can choose a subsequence of a sequence in Wireshark in a variety of complex ways. A set of brackets [] carrying a list of range specifiers separated by commas can be placed after a label. E.g., eth.src[0:3] == 00:00:83 The aforementioned example specifies a single range using the n:m format. In this instance, n denotes the starting offset, while m denotes the given range’s length. |
2. |
Layer Operator |
The layer operator (#), followed by a decimal number, can be used to limit a field to a particular layer in the protocol stack: E.g., ip.addr#2 == 192.168.40.60 Only the inner (second) layer of the packet is matched. For more sophisticated ranges, the same syntax as for slices applies: E.g., tcp.port#[2-4] denotes layers 2, 3, or 4 inclusive. To distinguish a layer range from a slice, the hash symbol is required. |
Steps of Building Display Filter Expressions in Wireshark
You can precisely manage which packets are displayed with Wireshark’s display filter language. They can be used to determine whether a protocol or field is present, its value, or even to compare two fields to one another. Complex expressions can be created by combining these comparisons with logical operators like “and” and “or” and parentheses.