Wireshark-users: Re: [Wireshark-users] list of display filters?

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 25 Jun 2008 17:10:02 -0700

On Jun 25, 2008, at 12:06 PM, Tennis Smith wrote:

How can I figure out all the fields which can be displayed in a protocol?

Either

1) start up Wireshark, click the "Filter:" button, click the "Expression" button in the dialog that pops up, scroll through the "Field name" part of the dialog *that* pops up looking for your protocol, and then click on the triangle to open up the list of named fields for the protocol

or

2) run "tshark -G" and pipe its output to a program such as grep (UN*X, Windows with Cygwin) or find (Windows) searching for a pattern consisting of a tab, the abbreviated name of the protocol, and another tab

or

3) search the rather-large "wireshark-filter(4)" man page for the protocol in question.

(2 could be annoying, given that a lot of command interpreters appear to treat tab as a name completion character or something else special. The output format is also not exactly the most user- friendly, as it's intended to be read by, for example, the script that generates the wireshark-filter man page.)