On older versions of UN*X, the command man tcpdump will give, among other things, documentation about capture filters; on newer versions, man pcap-filter will give that documentation.
The key part is
expr relop expr
True if the relation holds, where relop is one of >, <, >=, <=,
=, !=, and expr is an arithmetic expression composed of integer
constants (expressed in standard C syntax), the normal binary
operators [+, -, *, /, &, |, <<, >>], a length operator, and
special packet data accessors. Note that all comparisons are
unsigned, so that, for example, 0x80000000 and 0xffffffff are >
0. To access data inside the packet, use the following syntax:
proto [ expr : size ]
Proto is one of ether, fddi, tr, wlan, ppp, slip, link, ip, arp,
rarp, tcp, udp, icmp, ip6 or radio, and indicates the protocol
layer for the index operation. (ether, fddi, wlan, tr, ppp,
slip and link all refer to the link layer. radio refers to the
"radio header" added to some 802.11 captures.) Note that tcp,
udp and other upper-layer protocol types only apply to IPv4, not
IPv6 (this will be fixed in the future). The byte offset, rela-
tive to the indicated protocol layer, is given by expr. Size is
optional and indicates the number of bytes in the field of
interest; it can be either one, two, or four, and defaults to
one. The length operator, indicated by the keyword len, gives
the length of the packet.
For example, `ether[0] & 1 != 0' catches all multicast traffic.
The expression `ip[0] & 0xf != 5' catches all IPv4 packets with
options. The expression `ip[6:2] & 0x1fff = 0' catches only
unfragmented IPv4 datagrams and frag zero of fragmented IPv4
datagrams. This check is implicitly applied to the tcp and udp
index operations. For instance, tcp[0] always means the first
byte of the TCP header, and never means the first byte of an
intervening fragment.
Some offsets and field values may be expressed as names rather
than as numeric values. The following protocol header field
offsets are available: icmptype (ICMP type field), icmpcode
(ICMP code field), and tcpflags (TCP flags field).
The following ICMP type field values are available: icmp-echore-
ply, icmp-unreach, icmp-sourcequench, icmp-redirect, icmp-echo,
icmp-routeradvert, icmp-routersolicit, icmp-timxceed, icmp-
paramprob, icmp-tstamp, icmp-tstampreply, icmp-ireq, icmp-ire-
qreply, icmp-maskreq, icmp-maskreply.
The following TCP flags field values are available: tcp-fin,
tcp-syn, tcp-rst, tcp-push, tcp-ack, tcp-urg.</code></pre><p>In particular, unless Wireshark is using an older version of libpcap/WinPcap, as per the "Some offsets and field values may be expressed as names..." section, filtering for RST packets can be done with <code>tcp[tcpflags] & tcp-rst != 0</code>.</p></div><div class="answer-controls post-controls"></div><div class="post-update-info-container"><div class="post-update-info post-update-info-user"><p>answered <strong>13 Dec '11, 10:40</strong></p><img src="https://secure.gravatar.com/avatar/f93de7000747ab5efb5acd3034b2ebd7?s=32&d=identicon&r=g" class="gravatar" width="32" height="32" alt="Guy%20Harris's gravatar image" /><p><span>Guy Harris ♦♦</span><br />
17.4k●3●35●196
accept rate: 19%
