User Guide

Working with captured packets

102

English C-like Description and example

or || Logical OR

ip.scr==10.0.0.5 or ip.src==192.1.1.1

xor ^^ Logical XOR

tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29

not ! Logical NOT

not llc

[...] Substring Operator

Wireshark allows you to select subsequences of a sequence in rather elaborate

ways. After a label you can place a pair of brackets [] containing a comma

separated list of range specifiers.

eth.src[0:3] == 00:00:83

The example above uses the n:m format to specify a single range. In this case n

is the beginning offset and m is the length of the range being specified.

eth.src[1-2] == 00:83

The example above uses the n-m format to specify a single range. In this case n

is the beginning offset and m is the ending offset.

eth.src[:4] == 00:00:83:00

The example above uses the :m format, which takes everything from the

beginning of a sequence to offset m. It is equivalent to 0:m

eth.src[4:] == 20:20

The example above uses the n: format, which takes everything from offset n to

the end of the sequence.

eth.src[2] == 83

The example above uses the n format to specify a single range. In this case the

element in the sequence at offset n is selected. This is equivalent to n:1.

eth.src[0:3,1-2,:4,4:,2] ==

00:00:83:00:83:00:00:83:00:20:20:83

Wireshark allows you to string together single ranges in a comma separated list

to form compound ranges as shown above.

6.4.4. A common mistake

Warning!

Using the != operator on combined expressions like: eth.addr, ip.addr, tcp.port, udp.port and

alike will probably not work as expected!