Search by specific bit in data field


Hi, I am looking for filter expression that will enable search per specific bit in data filed. Do you have any idea?

asked 12 Jun '13, 06:27

3 Answers:


I assume you are looking for a display filter. You can check for a specific bit value by using the "&" operator. For instance, if I want to see all packets with the SYN flag set, I can use the filter "tcp.flags&2". It will look at the second LSB of the TCP flags field and check whether the bit is set. If you don't want to see the SYN nor SYN/ACK packets, you can use "!tcp.flags&2".

Here are some more examples, as I do not know in which part of the data you want to look:


(please note that the filters above are completely random)

In which data field do you need to test a bit value?

answered 12 Jun '13, 06:49

You can use[index] to filter on bytes in the data section e.g.[0]==05. If you want to go down to the bit layer you'd have to use multiple expressions like that to specify the ranges. Edit: Or use SYN-Bit's method ;)

e.g. first bit in data section == 1 -->[0] can have a range from 80 to FF (1000 0000 to 1111 1111) -->[0] >= 80

answered 12 Jun '13, 06:53

Assuming a display filter is required, you can use the logical and to mask out the bit you're interested in, e.g.

prot.field & 0x80

to mask out the top bit of a field.

answered 12 Jun '13, 07:06

