This is our old Q&A Site. Please post any new questions and answers at

With the "Wireshark: Capture Options" dialog, I'm trying to use a custom "Capture Filter"

I want to capture reset packets only (display filter equivalent: tcp.flags.reset ==1)

asked 13 Dec '11, 09:18

Peter_Clark's gravatar image

accept rate: 0%

On older versions of UN*X, the command man tcpdump will give, among other things, documentation about capture filters; on newer versions, man pcap-filter will give that documentation.

The key part is

   expr relop expr
          True  if the relation holds, where relop is one of >, <, >=, <=,
          =, !=, and expr is an arithmetic expression composed of  integer
          constants  (expressed  in  standard C syntax), the normal binary
          operators [+, -, *, /, &, |, <<, >>],  a  length  operator,  and
          special  packet  data  accessors.  Note that all comparisons are
          unsigned, so that, for example, 0x80000000 and 0xffffffff are  >
          0.  To access data inside the packet, use the following syntax:
               proto [ expr : size ]
          Proto is one of ether, fddi, tr, wlan, ppp, slip, link, ip, arp,
          rarp, tcp, udp, icmp, ip6 or radio, and indicates  the  protocol
          layer  for  the  index  operation.  (ether, fddi, wlan, tr, ppp,
          slip and link all refer to the link layer. radio refers  to  the
          "radio  header"  added to some 802.11 captures.)  Note that tcp,
          udp and other upper-layer protocol types only apply to IPv4, not
          IPv6 (this will be fixed in the future).  The byte offset, rela-
          tive to the indicated protocol layer, is given by expr.  Size is
          optional  and  indicates  the  number  of  bytes in the field of
          interest; it can be either one, two, or four,  and  defaults  to
          one.   The  length operator, indicated by the keyword len, gives
          the length of the packet.

          For example, `ether[0] & 1 != 0' catches all multicast  traffic.
          The  expression `ip[0] & 0xf != 5' catches all IPv4 packets with
          options.  The expression `ip[6:2] & 0x1fff  =  0'  catches  only
          unfragmented  IPv4  datagrams  and  frag zero of fragmented IPv4
          datagrams.  This check is implicitly applied to the tcp and  udp
          index  operations.   For instance, tcp[0] always means the first
          byte of the TCP header, and never means the  first  byte  of  an
          intervening fragment.

          Some  offsets  and field values may be expressed as names rather
          than as numeric values.  The  following  protocol  header  field
          offsets  are  available:  icmptype  (ICMP  type field), icmpcode
          (ICMP code field), and tcpflags (TCP flags field).

          The following ICMP type field values are available: icmp-echore-
          ply,  icmp-unreach, icmp-sourcequench, icmp-redirect, icmp-echo,
          icmp-routeradvert,  icmp-routersolicit,   icmp-timxceed,   icmp-
          paramprob,  icmp-tstamp,  icmp-tstampreply, icmp-ireq, icmp-ire-
          qreply, icmp-maskreq, icmp-maskreply.

          The following TCP flags field  values  are  available:  tcp-fin,
          tcp-syn, tcp-rst, tcp-push, tcp-ack, tcp-urg.

In particular, unless Wireshark is using an older version of libpcap/WinPcap, as per the "Some offsets and field values may be expressed as names..." section, filtering for RST packets can be done with tcp[tcpflags] & tcp-rst != 0.

permanent link

answered 13 Dec '11, 10:40

Guy%20Harris's gravatar image

Guy Harris ♦♦
accept rate: 19%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 13 Dec '11, 09:18

question was seen: 22,430 times

last updated: 13 Dec '11, 10:40

p​o​w​e​r​e​d by O​S​Q​A