This is a static archive of our old Q&A Site. Please post any new questions and answers at

Search by specific bit in data field


Hi, I am looking for filter expression that will enable search per specific bit in data filed. Do you have any idea?

asked 12 Jun '13, 06:27

morton's gravatar image

accept rate: 0%

3 Answers:


I assume you are looking for a display filter. You can check for a specific bit value by using the "&" operator. For instance, if I want to see all packets with the SYN flag set, I can use the filter "tcp.flags&2". It will look at the second LSB of the TCP flags field and check whether the bit is set. If you don't want to see the SYN nor SYN/ACK packets, you can use "!tcp.flags&2".

Here are some more examples, as I do not know in which part of the data you want to look:


(please note that the filters above are completely random)

In which data field do you need to test a bit value?

answered 12 Jun '13, 06:49

SYN-bit's gravatar image

SYN-bit ♦♦
accept rate: 20%


You can use[index] to filter on bytes in the data section e.g.[0]==05. If you want to go down to the bit layer you'd have to use multiple expressions like that to specify the ranges. Edit: Or use SYN-Bit's method ;)

e.g. first bit in data section == 1 -->[0] can have a range from 80 to FF (1000 0000 to 1111 1111) -->[0] >= 80

answered 12 Jun '13, 06:53

Landi's gravatar image

accept rate: 28%

edited 12 Jun '13, 06:56


Assuming a display filter is required, you can use the logical and to mask out the bit you're interested in, e.g.

prot.field & 0x80

to mask out the top bit of a field.

answered 12 Jun '13, 07:06

grahamb's gravatar image

grahamb ♦
accept rate: 22%

Oops too slow.

(12 Jun '13, 07:07) grahamb ♦