https://beardedmaker.com/wiki/index.php?action=history&feed=atom&title=Wireshark
Wireshark - Revision history
2026-04-26T23:03:53Z
Revision history for this page on the wiki
MediaWiki 1.27.4
https://beardedmaker.com/wiki/index.php?title=Wireshark&diff=2524&oldid=prev
Beard at 18:15, 7 June 2018
2018-06-07T18:15:36Z
<p></p>
<p><b>New page</b></p><div><br />
FILTER SYNTAX:<br />
<br />
<pre><br />
eq, == Equal<br />
ne, != Not Equal<br />
gt, > Greater Than<br />
lt, < Less Than<br />
ge, >= Greater than or Equal to<br />
le, <= Less than or Equal to<br />
<br />
eq, == Equal<br />
ne, != Not Equal<br />
gt, > Greater Than<br />
lt, < Less Than<br />
ge, >= Greater than or Equal to<br />
le, <= Less than or Equal to<br />
<br />
contains<br />
matches<br />
</pre><br />
<br />
EXAMPLES:<br />
<br />
<pre><br />
tcp<br />
tcp or udp<br />
not arp<br />
!arp<br />
!(arp or dns or stp)<br />
tcp.port == 53<br />
tcp.port in {80 443 8080}<br />
ip.addr == 1.1.1.1<br />
!(ip.addr == 1.1.1.1) - do this instead of "ip.addr != 1.1.1.1"<br />
ip.src == 1.1.1.1<br />
ip.dst == 1.1.1.1/24<br />
eth.addr == 00:00:00:00:00:00<br />
eth.src == 00:00:00:00:00:00<br />
eth.dst == 00:00:00:00:00:00<br />
ipv6.addr == ::1<br />
<br />
http.request.method == "POST"<br />
smb.path contains "\\\\SERVER\\SHARE"<br />
</pre><br />
<br />
SLICE:<br />
<br />
The following syntax governs slices:<br />
[i:j] i = start_offset, j = length<br />
[i-j] i = start_offset, j = end_offset, inclusive.<br />
[i] i = start_offset, length = 1<br />
[:j] start_offset = 0, length = j<br />
[i:] start_offset = i, end_offset = end_of_field<br />
<br />
example:<br />
eth.addr[0:3] == 00:00:00 - match first 3 bytes (start on byte 0, count 3 bytes)<br />
<br />
<br />
PREFERENCES:<br />
<br />
Appearance > Columns > + > Add a custom type and put "tcp.port" under Fields.<br />
Appearance > [uncheck] "Confirm unsaved capture files"<br />
Appearance > Main toolbar style = Icons & Text<br />
Protocols > [check] Display hidden protocol items</div>
Beard