Display Filter Syntax

Traffic Viewer provides a display filter that enables the user to control which packets are being displayed.
This filter can be used to check the presence or value of a protocol or field.
These comparisons can be combined with logical operators, like and and or, and parentheses into complex expressions.

Display Filter Fields

The simplest display filter is one that displays a single protocol, which means that in order to only display packets containing a particular protocol, it is enough to type the protocol name into the display filter toolbar.

Note

To only display TCP packets, type tcp into the display filter toolbar.
To only display IP packets with options, type ip.opt into the display filter toolbar.

Important

You can filter any protocol that Traffic Viewer supports. (as long as custom columns can be applied to the filter, you can use the filter with those fields)
a full list of possible fields can be accessible in Fields List.

Comparing Values

Display filters can also compare a field to a value using a number of different comparison operators.

Note

To only display packets to the IP address 192.168.0.1, use ip.dst == 192.168.0.1.

Display Filter comparison operators

The different operators that are usable in comparisons are represented in this table.

Literal	Symbol	Description	Example
`eq`	`==`	Equals	`ip.src==10.0.0.5`
`ne`	`!=`	Not Equals	`ip.src!=10.0.0.5`
`gt`	`>`	Greater than	`frame.id > 10`
`lt`	`<`	Less than	`frame.id < 128`
`ge`	`>=`	Greater than or equal to	`frame.id >= 128`
`le`	`<=`	Less than or equal to	`frame.id <= 128`
`sne`	`!==`	Strictly Not Equals	`frame.vlan !== 128`

Important

A packet may have one or more values of a field, so the comparison depends on all the values of the field.
The !== operator is different from != in that:

!== operator is equivalent to the opposite of a == comparison (would return true if the value entered is different than all of the field values).

!= would return true if the value entered is different than any of the field values.

Display Filter Field Types

The field types can be one of the following:

Signed/Unsinged Integer

Can be 8, 16, 24, 32, or 64 bits. You can express integers in decimal, binary, or hexadecimal. The following display filters are equivalent:

ip.len le 16
ip.len le 0b1101
ip.len le 0xd

Ethernet address

6 bytes separated by a colon (:) with one or two bytes between separators:

eth.dst == ff:ff:ff:ff:ff:ff

IPv4 Address

4 decimal values seperated by a point (.) with each value something between 0 and 255:

ip.addr == 192.168.0.1

IPv6 Address

full or abbreviated IPv6 address:

ipv6.addr == 2001:0db8:85a3:0000:0000:8a2e:0370:7334

Text string

A text value between apostrophe ' or quotation marks ":

frame.src == "ECU_1"

Combining Expressions

You can combine filter expressions using the logical operators:

Literal	Symbol	Description	Example
`and`	`&&`	Logical AND	`ip.src==10.0.0.5 and tcp`
`or`	`\|\|`	Logical OR	`ip.src==10.0.0.5 or tcp`
`xor`	`^^`	Logical XOR	`ip.src==10.0.0.5 xor tcp`
`not`	`!`	Logical not	`!(ip.src==10.0.0.5)`

Filtering on Signals from protocol

Some protocols in ANDi support signals (like CAN protocol which is not supported yet).

The filter syntax needed for these signals would be protocol.signals.signal_name,

where protocol is the protocol name and signal_name is the signal name.

Note

filtering on signals would use the physical value of the signals, if the raw value is needed,

then .raw needs to be added to the filter expression: protocol.signals.signal_name.raw.

Fields List

A list of all accessible fields for the display filter in Traffic Viewer