Display Filter Reference: Executable and Linkable Format

Protocol field name: elf

Versions: 1.12.0 to 2.4.4

Back to Display Filter Reference

Field name Description Type Versions
elf.abi_version ABI Version Unsigned integer, 1 byte 1.12.0 to 2.4.4
elf.blackhole_size Blackhole size Unsigned integer, 4 bytes 2.0.0 to 2.4.4
elf.blackholes_size Total blackholes size Unsigned integer, 4 bytes 2.0.0 to 2.4.4
elf.cfi_extraneous_data Segment size is larger than CFI records combined Label 2.0.0 to 2.4.4
elf.data_encoding Data Encoding Unsigned integer, 1 byte 1.12.0 to 2.4.4
elf.dwarf.format DWARF Exception Header value format Unsigned integer, 1 byte 1.12.0 to 2.4.4
elf.dwarf.omit DW_EH_PE_omit Unsigned integer, 1 byte 1.12.0 to 2.4.4
elf.dwarf.upper DWARF Exception Header application Unsigned integer, 1 byte 1.12.0 to 2.4.4
elf.dynamic.ignored Ignored Unsigned integer, 4 bytes 1.12.0 to 2.4.4
elf.dynamic.ignored64 Ignored Unsigned integer, 8 bytes 2.2.0 to 2.4.4
elf.dynamic.pointer Pointer Unsigned integer, 4 bytes 1.12.0 to 2.4.4
elf.dynamic.pointer64 Pointer Unsigned integer, 8 bytes 2.2.0 to 2.4.4
elf.dynamic.tag Tag Unsigned integer, 4 bytes 1.12.0 to 2.4.4
elf.dynamic.tag64 Tag Unsigned integer, 8 bytes 2.2.0 to 2.4.4
elf.dynamic.unspecified Unspecified Unsigned integer, 4 bytes 1.12.0 to 2.4.4
elf.dynamic.unspecified64 Unspecified Unsigned integer, 8 bytes 2.2.0 to 2.4.4
elf.dynamic.value Value Unsigned integer, 4 bytes 1.12.0 to 2.4.4
elf.dynamic.value64 Value Unsigned integer, 8 bytes 2.2.0 to 2.4.4
elf.eh_frame.augmentation_data Augmentation Data Sequence of bytes 1.12.0 to 2.4.4
elf.eh_frame.augmentation_length Augmentation Length Unsigned integer, 8 bytes 1.12.0 to 2.4.4
elf.eh_frame.augmentation_string Augmentation String Character string 1.12.3 to 2.4.4
elf.eh_frame.cie_id CIE ID Unsigned integer, 4 bytes 1.12.0 to 2.4.4
elf.eh_frame.code_alignment_factor Code Alignment Factor Unsigned integer, 8 bytes 1.12.0 to 2.4.4
elf.eh_frame.data_alignment_factor Data Alignment Factor Signed integer, 8 bytes 1.12.0 to 2.4.4
elf.eh_frame.extended_length Extended Length Unsigned integer, 8 bytes 2.0.0 to 2.4.4
elf.eh_frame.fde.augmentation_data Augmentation Data Sequence of bytes 1.12.0 to 2.4.4
elf.eh_frame.fde.augmentation_length Augmentation Length Unsigned integer, 8 bytes 1.12.0 to 2.4.4
elf.eh_frame.fde.call_frame_instructions Call Frame Instructions Sequence of bytes 1.12.0 to 2.4.4
elf.eh_frame.fde.cie_pointer CIE Pointer Unsigned integer, 4 bytes 1.12.0 to 2.4.4
elf.eh_frame.fde.extended_length Extended Length Unsigned integer, 8 bytes 2.0.0 to 2.4.4
elf.eh_frame.fde.length Length Unsigned integer, 4 bytes 1.12.0 to 2.4.4
elf.eh_frame.fde.pc_begin PC Begin Unsigned integer, 4 bytes 1.12.0 to 2.4.4
elf.eh_frame.fde.pc_range PC Range Unsigned integer, 4 bytes 1.12.0 to 2.4.4
elf.eh_frame.initial_instructions Initial Instructions Sequence of bytes 1.12.0 to 2.4.4
elf.eh_frame.length Length Unsigned integer, 4 bytes 1.12.0 to 2.4.4
elf.eh_frame.return_address_register Return Address Register Unsigned integer, 8 bytes 1.12.0 to 2.4.4
elf.eh_frame.version Version Unsigned integer, 1 byte 1.12.0 to 2.4.4
elf.eh_frame_hdr.binary_search_table_encoding Binary Search Table Encoding Unsigned integer, 1 byte 1.12.0 to 2.4.4
elf.eh_frame_hdr.binary_search_table_entry.address Address Sequence of bytes 1.12.0 to 2.4.4
elf.eh_frame_hdr.binary_search_table_entry.initial_location Initial location Sequence of bytes 1.12.0 to 2.4.4
elf.eh_frame_hdr.eh_frame_ptr Exception Frame Pointer Sequence of bytes 1.12.0 to 2.4.4
elf.eh_frame_hdr.eh_frame_ptr_enc Exception Frame Pointer Encoding Unsigned integer, 1 byte 1.12.0 to 2.4.4
elf.eh_frame_hdr.fde_count Number of FDE entries Unsigned integer, 8 bytes 1.12.0 to 2.4.4
elf.eh_frame_hdr.fde_count_enc FDE Count Encoding Unsigned integer, 1 byte 1.12.0 to 2.4.4
elf.eh_frame_hdr.version Version Unsigned integer, 1 byte 1.12.0 to 2.4.4
elf.ehsize ELF Header Size Unsigned integer, 2 bytes 1.12.0 to 2.4.4
elf.entry Entry Unsigned integer, 4 bytes 1.12.0 to 2.4.4
elf.entry64 Entry Unsigned integer, 8 bytes 2.2.0 to 2.4.4
elf.entry_bytes Entry Sequence of bytes 2.0.0 to 2.4.4
elf.file_class File Class Unsigned integer, 1 byte 1.12.0 to 2.4.4
elf.file_padding File Padding Sequence of bytes 1.12.0 to 2.4.4
elf.file_size File size Unsigned integer, 4 bytes 2.0.0 to 2.4.4
elf.file_version File Version Unsigned integer, 1 byte 1.12.0 to 2.4.4
elf.flags Flags Unsigned integer, 4 bytes 1.12.0 to 2.4.4
elf.header_segment_size Header size + all segment size Unsigned integer, 4 bytes 2.0.0 to 2.4.4
elf.invalid_cie_length CIE length is too small or larger than segment size Label 2.0.0 to 2.4.4
elf.invalid_entry_size Entry size is different then currently parsed bytes Label 1.12.0 to 2.4.4
elf.invalid_segment_size Segment size is different then currently parsed bytes Label 1.12.0 to 2.4.4
elf.machine Machine Unsigned integer, 2 bytes 1.12.0 to 2.4.4
elf.magic_bytes Magic Bytes Sequence of bytes 1.12.0 to 2.4.4
elf.os_abi OS ABI Unsigned integer, 1 byte 1.12.0 to 2.4.4
elf.overlapping_size Overlapping size Unsigned integer, 4 bytes 2.0.0 to 2.4.4
elf.p_align Align Unsigned integer, 4 bytes 1.12.0 to 2.4.4
elf.p_align64 Align Unsigned integer, 8 bytes 2.2.0 to 2.4.4
elf.p_filesz File Image Size Unsigned integer, 4 bytes 1.12.0 to 2.4.4
elf.p_filesz64 File Image Size Unsigned integer, 8 bytes 2.2.0 to 2.4.4
elf.p_flags.execute Execute Flag Boolean 1.12.0 to 2.4.4
elf.p_flags.maskos Operating System Specific Flags Boolean 1.12.0 to 2.4.4
elf.p_flags.maskproc Processor Specific Flags Boolean 1.12.0 to 2.4.4
elf.p_flags.read Read Flag Boolean 1.12.0 to 2.4.4
elf.p_flags.reserved Reserrved Flags Boolean 1.12.0 to 2.4.4
elf.p_flags.write Write Flag Boolean 1.12.0 to 2.4.4
elf.p_memsz Memory Image Size Unsigned integer, 4 bytes 1.12.0 to 2.4.4
elf.p_memsz64 Memory Image Size Unsigned integer, 8 bytes 2.2.0 to 2.4.4
elf.p_offset File Offset Unsigned integer, 4 bytes 1.12.0 to 2.4.4
elf.p_offset64 File Offset Unsigned integer, 8 bytes 2.2.0 to 2.4.4
elf.p_paddr Physical Address Unsigned integer, 4 bytes 1.12.0 to 2.4.4
elf.p_paddr64 Physical Address Unsigned integer, 8 bytes 2.2.0 to 2.4.4
elf.p_type Element Type Unsigned integer, 4 bytes 1.12.0 to 2.4.4
elf.p_vaddr Virtual Address Unsigned integer, 4 bytes 1.12.0 to 2.4.4
elf.p_vaddr64 Virtual Address Unsigned integer, 8 bytes 2.2.0 to 2.4.4
elf.phentsize Entry Size in Program Header Table Unsigned integer, 2 bytes 1.12.0 to 2.4.4
elf.phnum Number of Entries in the Program Header Table Unsigned integer, 2 bytes 1.12.0 to 2.4.4
elf.phoff Program Header Table File Offset Unsigned integer, 4 bytes 1.12.0 to 2.4.4
elf.phoff64 Program Header Table File Offset Unsigned integer, 8 bytes 2.2.0 to 2.4.4
elf.segment Segment Sequence of bytes 2.0.0 to 2.4.4
elf.sh_addr Address Unsigned integer, 4 bytes 1.12.0 to 2.4.4
elf.sh_addr64 Address Unsigned integer, 8 bytes 2.2.0 to 2.4.4
elf.sh_addralign Address Alignment Unsigned integer, 4 bytes 1.12.0 to 2.4.4
elf.sh_addralign64 Address Alignment Unsigned integer, 8 bytes 2.2.0 to 2.4.4
elf.sh_entsize Entry Size Unsigned integer, 4 bytes 1.12.0 to 2.4.4
elf.sh_entsize64 Entry Size Unsigned integer, 8 bytes 2.2.0 to 2.4.4
elf.sh_flags.alloc Alloc Flag Boolean 1.12.0 to 2.4.4
elf.sh_flags.exec_instr Exec Instr Flag Boolean 1.12.0 to 2.4.4
elf.sh_flags.group Group Flag Boolean 1.12.0 to 2.4.4
elf.sh_flags.info_link Info Link Flag Boolean 1.12.0 to 2.4.4
elf.sh_flags.link_order Link Order Flag Boolean 1.12.0 to 2.4.4
elf.sh_flags.maskos Operating System Specific Flags Boolean 1.12.0 to 2.4.4
elf.sh_flags.maskproc Processor Specific Flags Boolean 1.12.0 to 2.4.4
elf.sh_flags.merge Merge Flag Boolean 1.12.0 to 2.4.4
elf.sh_flags.os_nonconforming OS NonConforming Flag Boolean 1.12.0 to 2.4.4
elf.sh_flags.reserved Reserved Boolean 1.12.0 to 2.4.4
elf.sh_flags.reserved.8 Reserved Boolean 1.12.0 to 2.4.4
elf.sh_flags.strings Strings Flag Boolean 1.12.0 to 2.4.4
elf.sh_flags.tls TLS Flag Boolean 1.12.0 to 2.4.4
elf.sh_flags.write Write Flag Boolean 1.12.0 to 2.4.4
elf.sh_info Info Unsigned integer, 4 bytes 1.12.0 to 2.4.4
elf.sh_link Link Index Unsigned integer, 4 bytes 1.12.0 to 2.4.4
elf.sh_name Name Index Unsigned integer, 4 bytes 1.12.0 to 2.4.4
elf.sh_offset File Offset Unsigned integer, 4 bytes 1.12.0 to 2.4.4
elf.sh_offset64 File Offset Unsigned integer, 8 bytes 2.2.0 to 2.4.4
elf.sh_size Size Unsigned integer, 4 bytes 1.12.0 to 2.4.4
elf.sh_size64 Size Unsigned integer, 8 bytes 2.2.0 to 2.4.4
elf.sh_type Type Unsigned integer, 4 bytes 1.12.0 to 2.4.4
elf.shentsize Entry Size in Section Header Table Unsigned integer, 2 bytes 1.12.0 to 2.4.4
elf.shnum Number of Entries in the Section Header Table Unsigned integer, 2 bytes 1.12.0 to 2.4.4
elf.shoff Section Header Table File Offset Unsigned integer, 4 bytes 1.12.0 to 2.4.4
elf.shoff64 Section Header Table File Offset Unsigned integer, 8 bytes 2.2.0 to 2.4.4
elf.shstrndx Section Header Table String Index Unsigned integer, 2 bytes 1.12.0 to 2.4.4
elf.string String Character string 1.12.0 to 2.4.4
elf.symbol_table.info Info Unsigned integer, 1 byte 1.12.0 to 2.4.4
elf.symbol_table.info.bind Bind Unsigned integer, 1 byte 1.12.0 to 2.4.4
elf.symbol_table.info.type Type Unsigned integer, 1 byte 1.12.0 to 2.4.4
elf.symbol_table.name_index Name Index Unsigned integer, 4 bytes 1.12.0 to 2.4.4
elf.symbol_table.other Other Unsigned integer, 1 byte 1.12.0 to 2.4.4
elf.symbol_table.shndx Releated Section Header Index Unsigned integer, 2 bytes 1.12.0 to 2.4.4
elf.symbol_table.size Size Unsigned integer, 4 bytes 1.12.0 to 2.4.4
elf.symbol_table.size64 Size Unsigned integer, 8 bytes 2.2.0 to 2.4.4
elf.symbol_table.value Value Unsigned integer, 4 bytes 1.12.0 to 2.4.4
elf.symbol_table.value64 Value Unsigned integer, 8 bytes 2.2.0 to 2.4.4
elf.type Type Unsigned integer, 2 bytes 1.12.0 to 2.4.4
elf.version Version Unsigned integer, 4 bytes 1.12.0 to 2.4.4
Go Beyond with Riverbed Technology

Riverbed is Wireshark's primary sponsor and provides our funding. They also make great products that fully integrate with Wireshark.

I have a lot of traffic...

ANSWER: SteelCentral™ Packet Analyzer PE
  • • Visually rich, powerful LAN analyzer
  • • Quickly access very large pcap files
  • • Professional, customizable reports
  • • Advanced triggers and alerts
  • • Fully integrated with Wireshark and AirPcap™
Learn More

Buy Now

No, really, I have a LOT of traffic…

ANSWER: SteelCentral™ NetShark appliance
  • • Troubleshoot problems faster
  • • Quickly identify the applications running on your network
  • • Monitor your virtual machine traffic
Learn More