Wireshark-users: Re: [Wireshark-users] SYN Capture Filter issue
From: Bill Meier <wmeier@xxxxxxxxxxx>
Date: Tue, 17 Feb 2009 13:34:12 -0500
Bland Chuck-CNGR85 wrote:
WS Version 1.0.5 (SVN Rev 26954)

Capture Filter: "tcp[13] & 0x02 = 2" (no quotes)

Attached: small capture file
<<SYN Filter Test.pcap>> I get mostly SYN packets, but I also get more than a few DCERPC and
TELNET packets that do not have the SYN flag set.

When I examine each datagram, the TCP Flag field is always in the same
place. In the case of the DCERPC and TELNET packets, the flag value is
0x18, so it should fail the filter test.

Is there an explanation or is this a bug in the filter?



On my Windows 1.0.5 Wireshark the above filter expression gives an error message when I try to apply it.

I get:

  The following display filter isn't a valid display filter:
  tcp[13] & 0x02 = 2

(What OS are you using ?)

tcp.flags.syn == 1  is a filter which will work.

(See the Wireshark help and the Wireshark wiki for various display filter examples).


I'm not at all an expert on display filter expressions but I suspect that there may be several issues:

& not a valid operator. ??
0x02 not a valid constant ??
=  should be ==      ??

Strangely enough, the following does seem to work on the latest development Wireshark:

  tcp[13] & 2 = 2

Is the fact that a single = works a bug ?   I don't know ....

is & now a valid operator ?