Also: For future reference:
You can determine the "filter name" of any particular field by clicking
on the field in the Packet Details window and then looking on the
left-hand side of the status bar (at the bottom) to see the field name.
EG: for a frame with a DNS "no such name" reply, expand the Flags field
within the DNS payload, then click on the 'Reply Code' line to see the
name of the field at tyhe botton of the screen.
In addition you can right-click on the field and then select 'Apply as
Filter --> Selected' to filter for that value in that field.
Jaap Keuter wrote:
Hi,
You're confused. It's dns.flags what you're looking for.
In fact "dns.flags.rcode == 3" is what you want to use as display filter.
Thanx,
Jaap
Scott Baker wrote:
> > I want to filter out all DNS queries that fail with a "no such name"
> > response. As far as I can tell that's tcp flag 0x8583, but I don't
> > know how to filter for that. The docs say tcp.flags is an 8 bit field,
> > so it can't be 0x8583. How do I filter DNS for specific flags?
> >
> > - Scott