ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
July 17th, 2024 | 10:00am-11:55am SGT (UTC+8) | Online
Wireshark logo

Ethereal-users: Re: [Ethereal-users] ethereal display filter tcp.flags

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxx>
Date: Tue, 25 Jun 2002 13:09:51 -0700
On Tue, Jun 25, 2002 at 03:22:10PM -0400, Gibson, Beth wrote:
>   Does anyone know of a listing of the meanings of the values for the
> display filter, "tcp.flags" ? By trial and error, I figured out a few of
> them (0x04  gets you RST packets;  0x02 gets you SYN packets, etc), but I
> was wondering if there is a complete list available.

As noted, that information is in the TCP RFC, RFC 793.

Note, however, that you can construct display filters in Ethereal using
the GUI - for example, if you click on "Filter:" to the left of the
display filter field at the bottom of the screen, it pops up a dialog
box you can use to construct filters.

If you click on "Add Expression..." in that dialog box, it pops up
another dialog box you can use to construct an expression in a filter. 
If you then scroll down to "TCP" and open up the entry for "TCP", it has
entries for

	Urgent
	Acknowledgement
	Push
	Reset
	Syn
	Fin

which are for the URG, ACK, PSH, RST, SYN, and FIN flags.  If you click
on "Push", the "Relation" field offers "is present", "==", and "!=". 
"is present" isn't very interesting for the flag, as the flag is always
"present", regardless of whether the value of the flag is 0 (meaning PSH
isn't set) or 1 (meaning PSH is set).

If you click on "==", a new column is displayed; you can click on "Set"
or "Not set", and then click "Accept", which will insert into the
"Filter string:" dialog box, at the current text cursor position, the
expression you've selected.

Alternatively, you could open up the "Flags:" field in a TCP packet and
select one of the flags bits.  If you select the "Push" bit, the
status line at the bottom will display, in the rightmost field

	Push (tcp.flags.push)

indicating that the field you've selected is named "tcp.flags.push". 
You could type that into the filter field by hand, or use the right
mouse button or the "Display" menu on the top, and use "Match" to
construct a filter with an expression that tests that field, or add to
the current filter an expression that tests that field, and then apply
the filter, or use "Prepare" to do the first part of that but not apply
the filter (so you can add more stuff to the filter).
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube