Manualshelf

User Guide

ManualsBrandsWireshark ManualsSoftwareWireshark Wireshark - 1.5
111112113114115116117118119120
Working with captured packets
103
Often people use a filter string to display something like ip.addr == 1.2.3.4 which will display all packets
containing the IP address 1.2.3.4.
Then they use ip.addr != 1.2.3.4 to see all packets not containing the IP address 1.2.3.4 in it. Unfortunately,
this does not do the expected.
Instead, that expression will even be true for packets where either source or destination IP address equals
1.2.3.4. The reason for this, is that the expression ip.addr != 1.2.3.4 must be read as "the packet contains
a field named ip.addr with a value different from 1.2.3.4". As an IP datagram contains both a source and a
destination address, the expression will evaluate to true whenever at least one of the two addresses differs
from 1.2.3.4.
If you want to filter out all packets containing IP datagrams to or from IP address 1.2.3.4, then the correct
filter is !(ip.addr == 1.2.3.4) as it reads "show me all the packets for which it is not true that a field named
ip.addr exists with a value of 1.2.3.4", or in other words, "filter out all packets for which there are no
occurrences of a field named ip.addr with the value 1.2.3.4".
6.5. The "Filter Expression" dialog box
When you are accustomed to Wireshark's filtering system and know what labels you wish to use in your
filters it can be very quick to simply type a filter string. However if you are new to Wireshark or are
working with a slightly unfamiliar protocol it can be very confusing to try to figure out what to type. The
Filter Expression dialog box helps with this.
Tip!
The "Filter Expression" dialog box is an excellent way to learn how to write Wireshark
display filter strings.
Figure 6.7. The "Filter Expression" dialog box
When you first bring up the Filter Expression dialog box you are shown a tree list of field names, organized
by protocol, and a box for selecting a relation.
Field Name Select a protocol field from the protocol field tree. Every protocol with filterable fields
is listed at the top level. (You can search for a particular protocol entry by entering the