ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-users: Re: [Wireshark-users] SYN Capture Filter issue

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Bland Chuck-CNGR85" <Chuck.Bland@xxxxxxxxxxxx>
Date: Tue, 17 Feb 2009 13:54:00 -0500
"I get:The following display filter isn't a valid display filter:
tcp[13] & 0x02 = 2" 

As you should. You put CATURE FILTER syntax in the DISPLAY FILTER spec.
Please note I spec'd a capture filter.

"(What OS are you using ?)"

Win XP Pro

"tcp.flags.syn == 1  is a filter which will work."

Yes, that does work, if I want to use a display filter.

Chuck

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Bill Meier
Sent: Tuesday, February 17, 2009 10:34 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] SYN Capture Filter issue

Bland Chuck-CNGR85 wrote:
> WS Version 1.0.5 (SVN Rev 26954)
> 
> Capture Filter: "tcp[13] & 0x02 = 2" (no quotes)
> 
> Attached: small capture file
>  <<SYN Filter Test.pcap>>
> I get mostly SYN packets, but I also get more than a few DCERPC and 
> TELNET packets that do not have the SYN flag set.
> 
> When I examine each datagram, the TCP Flag field is always in the same

> place. In the case of the DCERPC and TELNET packets, the flag value is

> 0x18, so it should fail the filter test.
> 
> Is there an explanation or is this a bug in the filter?
> 


On my Windows 1.0.5 Wireshark the above filter expression gives an error
message when I try to apply it.

I get:

   The following display filter isn't a valid display filter:
   tcp[13] & 0x02 = 2

(What OS are you using ?)

tcp.flags.syn == 1  is a filter which will work.

(See the Wireshark help and the Wireshark wiki for various display
filter examples).


I'm not at all an expert on display filter expressions but I suspect 
that there may be several issues:

& not a valid operator. ??
0x02 not a valid constant ??
=  should be ==      ??

Strangely enough, the following does seem to work on the latest 
development Wireshark:

   tcp[13] & 2 = 2

Is the fact that a single = works a bug ?   I don't know ....

is & now a valid operator ?



________________________________________________________________________
___
Sent via:    Wireshark-users mailing list
<wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
 
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube