When you are accustomed to Wireshark's filtering system and know what labels you wish to use in your filters it can be very quick to simply type a filter string. However if you are new to Wireshark or are working with a slightly unfamiliar protocol it can be very confusing to try to figure out what to type. The Filter Expression dialog box helps with this.
![[Tip]](tip.png)
|
Tip! |
|---|---|
|
The "Filter Expression" dialog box is an excellent way to learn how to write Wireshark display filter strings. |
When you first bring up the Filter Expression dialog box you are shown a tree list of field names, organized by protocol, and a box for selecting a relation.
- Field Name
-
Select a protocol field from the protocol field tree. Every protocol with filterable fields is listed at the top level. (You can search for a particular protocol entry by entering the first few letters of the protocol name). By clicking on the "+" next to a protocol name you can get a list of the field names available for filtering for that protocol.
- Relation
-
Select a relation from the list of available relation. The is present is a unary relation which is true if the selected field is present in a packet. All other listed relations are binary relations which require additional data (e.g. a Value to match) to complete.
When you select a field from the field name list and select a binary relation (such as the equality relation ==) you will be given the opportunity to enter a value, and possibly some range information.
- Value
-
You may enter an appropriate value in the Value text box. The Value will also indicate the type of value for the field name you have selected (like character string).
- Predefined values
-
Some of the protocol fields have predefined values available, much like enum's in C. If the selected protocol field has such values defined, you can choose one of them here.
- Range
-
XXX - add an explanation here!
- OK
-
When you have built a satisfactory expression click OK and a filter string will be built for you.
- Cancel
-
You can leave the Add Expression... dialog box without any effect by clicking the Cancel button.