dfilter: Make logical AND higher precedence than logical OR

In most, if not all, programming languages logical AND has higher precedence than logical OR. Apply the principle of least surprise and do the same for Wireshark display filters. Before: ip and tcp or udp => ip and (tcp or udp) Filter: ip and tcp or udp Instructions: 00000 CHECK_EXISTS ip 00001 IF_FALSE_GOTO 5 00002 CHECK_EXISTS tcp 00003 IF_TRUE_GOTO 5 00004 CHECK_EXISTS udp 00005 RETURN After: ip and tcp or udp => (ip and tcp) or udp Filter: ip and tcp or udp Instructions: 00000 CHECK_EXISTS ip 00001 IF_FALSE_GOTO 4 00002 CHECK_EXISTS tcp 00003 IF_TRUE_GOTO 5 00004 CHECK_EXISTS udp 00005 RETURN
2022-04-03 17:57:23 +01:00 · 2022-04-03 17:57:23 +01:00 · 34ad6bb478
parent 167d44ea6d
commit 34ad6bb478
3 changed files with 16 additions and 8 deletions
--- a/doc/wireshark-filter.adoc
+++ b/doc/wireshark-filter.adoc
@ -429,14 +429,21 @@ syntactical elements in the filter language.

 Tests can be combined using logical expressions.
 These too are expressible in C-like syntax or with English-like
-abbreviations:
+abbreviations. The following table lists the logical operators from
+highest to lowest precedence:

-    and, &&   Logical AND
-    or,  ||   Logical OR
-    not, !    Logical NOT
+    not, !    Logical NOT   (right-associative)
+    and, &&   Logical AND   (left-associative)
+    or,  ||   Logical OR    (left-associative)

-Expressions can be grouped by parentheses as well.  The following are
-all valid display filter expressions:
+The evaluation is always performed left to right. Expressions can be grouped
+by parentheses as well. The expression "A and B or not C or D and not E or F"
+is read:
+
+    (A and B) or (not C) or (D and (not E)) or F
+
+It's usually better to be explicit about grouping using parenthesis.
+The following are all valid display filter expressions:

    tcp.port == 80 and ip.src == 192.168.2.1
    not llc
--- a/docbook/release-notes.adoc
+++ b/docbook/release-notes.adoc
@ -69,6 +69,7 @@ They previously shipped with Npcap 1.55.
   It is now possible to use expressions such as "tcp.dstport >= tcp.srcport + 1", or using field references
   to the selected frame: frame.number > ${frame.number} - 5. Note that the last example is only meaningful using
   the GUI because TShark has no concept of selected frame.
+** Logical AND now has higher precedence than logical OR, in line with most programming languages.

 * text2pcap and "Import from Hex Dump":
 ** text2pcap supports writing the output file in all the capture file formats
--- a/epan/dfilter/grammar.lemon
+++ b/epan/dfilter/grammar.lemon
@ -79,11 +79,11 @@ shifting 3 more symbols. */
 /* ----------------- The grammar -------------- */

 /* Associativity */
-%left TEST_AND.
 %left TEST_OR.
+%left TEST_AND.
+%right TEST_NOT.
 %nonassoc TEST_ALL_EQ TEST_ANY_EQ TEST_ALL_NE TEST_ANY_NE TEST_LT TEST_LE TEST_GT TEST_GE
            TEST_CONTAINS TEST_MATCHES TEST_BITWISE_AND.
-%right TEST_NOT.

 /* Top-level targets */
 sentence ::= expr(X).           { dfw->st_root = X; }