On the right-hand side of the display filter is the Expression button, which, when clicked, will open a dialog box, as shown in the following screenshot:

On the left-hand side, you will see a list of all of Wireshark's supported protocols. Wireshark is capable of dissecting hundreds of protocols, with more added all the time, so the list will be long. In order to find a protocol, you can use the search tool. In the preceding screenshot, I have entered tcp in the search tool and then expanded the available field names. To further refine the filter, you can select from the four variables listed on the right-hand side:

• Relation: This is a list of comparison operators to compare a field value against another value using logical operators:
  • is present: Indicates the selected field exists in the capture
  • ==: Equal to
  • !=: Not equal to
  • >: Greater than
  • <: Less than
  • >=: Greater than or equal to
  • <=: Less than or equal to

• Value: Indicates the appropriate value required. Wireshark populates this with the appropriate type of value, that is, Boolean or string.
• Predefined Values: Wireshark populates this with the appropriate values for a given field.
• Range (offset:length): Allows you to enter a range of integers such as 4-8 or 12-20, if they are an appropriate selection for this field or filter.

Now that you have a good understanding of what the expression builder can do, let's go through a simple example of building a custom filter.