Wireshark-users: Re: [Wireshark-users] list of display filters?
From: Guy Harris <[email protected]>
Date: Wed, 25 Jun 2008 17:10:02 -0700
On Jun 25, 2008, at 12:06 PM, Tennis Smith wrote:

How can I figure out all the fields which can be displayed in a protocol?

1) start up Wireshark, click the "Filter:" button, click the "Expression" button in the dialog that pops up, scroll through the "Field name" part of the dialog *that* pops up looking for your protocol, and then click on the triangle to open up the list of named fields for the protocol

2) run "tshark -G" and pipe its output to a program such as grep (UN*X, Windows with Cygwin) or find (Windows) searching for a pattern consisting of a tab, the abbreviated name of the protocol, and another tab

3) search the rather-large "wireshark-filter(4)" man page for the protocol in question.
(2 could be annoying, given that a lot of command interpreters appear  
to treat tab as a name completion character or something else  
special.  The output format is also not exactly the most user- 
friendly, as it's intended to be read by, for example, the script that  
generates the wireshark-filter man page.)