Arithmetic operators
Display Filter Arithmetic Operations:
The following table contains the full list of arithmetic operators:
| Sr. No. | Name | Syntax | Description |
|---|---|---|---|
| 1. | Unary minus | -A | Negation of A |
| 2. | Addition | A + B | Add B to A |
| 3. | Subtraction | A – B | Subtract B from A |
| 4. | Multiplication | A * B | Multiply A times B |
| 5. | Division | A / B | Divide A by B |
| 6. | Modulo | A % B | Remainder of A divided by B |
| 7. | Bitwise AND | A & B | Bitwise AND of A and B |
Curly braces are a common way to arrange mathematical expressions.
Functions:
There are several functions to convert fields in the display filter language.
|
Sr. No. |
Function |
Description and Example |
|---|---|---|
|
1. |
upper |
Given string field is converted to uppercase. E.g., upper(http.server) |
|
2. |
lower |
Given string field is converted to lowercase. E.g., lower(http.server) contains “apache”. |
|
3. |
len |
It returns the byte length of a string as output. E.g., len(http.request.uri) > 100 len function outputs the string length value in bytes instead of multibyte characters. |
|
4. |
count |
It returns the number (count) of field occurrences in a frame. E.g., count(ip.addr) > 2 in case of ICMP in which a single packet might contain more number of addresses. |
|
5. |
string |
Given non-string field is converted to a string. E.g., To match odd frame numbers: string(frame.number) matches “[13579]$” |
|
6. |
max |
It returns the maximum value for the arguments. It takes any number of arguments of the same type and returns the maximum (largest) value. E.g., max(tcp.srcport, tcp.dstport) <= 1024 |
|
7. |
min |
It returns the minimum value for the arguments. It takes any number of arguments of the same type and returns the minimum (smallest) value. E.g., min(tcp.srcport, tcp.dstport) <= 1024 |
|
8. |
abs |
It returns the absolute value for the argument. E.g., abs(tcp.srcport) |
Steps of Building Display Filter Expressions in Wireshark
You can precisely manage which packets are displayed with Wireshark’s display filter language. They can be used to determine whether a protocol or field is present, its value, or even to compare two fields to one another. Complex expressions can be created by combining these comparisons with logical operators like “and” and “or” and parentheses.
Contact Us