Wireshark

FILTER SYNTAX:

eq, ==    Equal
ne, !=    Not Equal
gt, >     Greater Than
lt, <     Less Than
ge, >=    Greater than or Equal to
le, <=    Less than or Equal to

eq, ==    Equal
ne, !=    Not Equal
gt, >     Greater Than
lt, <     Less Than
ge, >=    Greater than or Equal to
le, <=    Less than or Equal to

contains
matches

EXAMPLES:

tcp
tcp or udp
not arp
!arp
!(arp or dns or stp)
tcp.port == 53
tcp.port in {80 443 8080}
ip.addr == 1.1.1.1
!(ip.addr == 1.1.1.1) - do this instead of "ip.addr != 1.1.1.1"
ip.src == 1.1.1.1
ip.dst == 1.1.1.1/24
eth.addr == 00:00:00:00:00:00
eth.src == 00:00:00:00:00:00
eth.dst == 00:00:00:00:00:00
ipv6.addr == ::1

http.request.method == "POST"
smb.path contains "\\\\SERVER\\SHARE"

SLICE:

The following syntax governs slices:

   [i:j]    i = start_offset, j = length
   [i-j]    i = start_offset, j = end_offset, inclusive.
   [i]      i = start_offset, length = 1
   [:j]     start_offset = 0, length = j
   [i:]     start_offset = i, end_offset = end_of_field

example: eth.addr[0:3] == 00:00:00 - match first 3 bytes (start on byte 0, count 3 bytes)

PREFERENCES:

Appearance > Columns > + > Add a custom type and put "tcp.port" under Fields. Appearance > [uncheck] "Confirm unsaved capture files" Appearance > Main toolbar style = Icons & Text Protocols > [check] Display hidden protocol items