OSQA is unmaintained. Help us figure out where to go from here.

Hello, I am trying to find where I can see the criteria for the display filters. I looked in the dfilters file but that only contains 17 entries.

For example 'http.' as around 50 filter options, is there a file that defines the criteria that would match each option?

I suppose this would be some offset and some hex value, is there a list of these values for each display filter.

Thank you, GP CC

asked 16 May, 07:07

GP%20CC's gravatar image

GP CC
10235
accept rate: 0%


To be precise, the "file that defines the criteria that would match each [filter]" would be the dissector. That contains the code which creates the nodes in the protocol tree to which the display filter can be applied. There is (a lot of) logic involved in that, interpreting every octet and bit in the frame to find out where what field is. So there is no hard-and-fast rules saying 'at this offset that field can be found and a display filter applied'. (layers of) network protocols are just too complex for that.

permanent link

answered 16 May, 12:08

Jaap's gravatar image

Jaap ♦
11.6k16101
accept rate: 14%

Thank you for the replies and assistance, I was thinking the dissector for each protocol would be a part or maybe all of the answer.

GP CC

(16 May, 13:01) GP CC

There is the on-line reference of all display filters, if that's what you're interested in? With the Gtk version of Wireshark, you can also find the available display filters by navigating through Internals -> Support Protocols (slow!) -> Display Filter Fields, and you can also use tshark to list the fields as well via tshark -G fields.

Probably the easiest way to find out the display filter name is by selecting the field of interest in the packet details pane and then reading the display filter associated with that field in the bottom status bar.

permanent link

answered 16 May, 11:28

cmaynard's gravatar image

cmaynard ♦♦
9.3k938142
accept rate: 20%

1

Oh, and the Qt based interface has them at View | Internal | Supported Protocols.

(16 May, 12:02) Jaap ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×165

question asked: 16 May, 07:07

question was seen: 298 times

last updated: 16 May, 13:01

p​o​w​e​r​e​d by O​S​Q​A