forked from osmocom/wireshark
WSUG: Document the layer operator.
Copy over the "layer operator" section from the wireshark-filter man page. Fix the "at operator" level in the wireshark-filter man page.
This commit is contained in:
Gerald Combs
parent
1505fa1b4b
commit
5084857eed
|
|
@ -388,7 +388,7 @@ For more complicated ranges the same syntax used with slices is valid:
|
||||||
means layers number 2, 3 or 4 inclusive. The hash symbol is required to
|
means layers number 2, 3 or 4 inclusive. The hash symbol is required to
|
||||||
distinguish a layer range from a slice.
|
distinguish a layer range from a slice.
|
||||||
|
|
||||||
== The at operator
|
=== The at operator
|
||||||
|
|
||||||
By prefixing the field name with an at sign (@) the comparison is done against
|
By prefixing the field name with an at sign (@) the comparison is done against
|
||||||
the raw packet data for the field.
|
the raw packet data for the field.
|
||||||
|
|
|
||||||
|
|
@ -762,6 +762,24 @@ eth.src[0:3,1-2,:4,4:,2] ==
|
||||||
Wireshark allows you to string together single ranges in a comma separated list
|
Wireshark allows you to string together single ranges in a comma separated list
|
||||||
to form compound ranges as shown above.
|
to form compound ranges as shown above.
|
||||||
|
|
||||||
|
==== The Layer Operator
|
||||||
|
|
||||||
|
A field can be restricted to a certain layer in the protocol stack using the
|
||||||
|
layer operator (#), followed by a decimal number:
|
||||||
|
|
||||||
|
ip.addr#2 == 192.168.30.40
|
||||||
|
|
||||||
|
matches only the inner (second) layer in the packet.
|
||||||
|
Layers use simple stacking semantics and protocol layers are counted sequentially starting from 1.
|
||||||
|
For example, in a packet that contains two IPv4 headers, the outer (first) source address can be matched with "ip.src#1" and the inner (second) source address can be matched with "ip.src#2".
|
||||||
|
|
||||||
|
For more complicated ranges the same syntax used with slices is valid:
|
||||||
|
|
||||||
|
tcp.port#[2-4]
|
||||||
|
|
||||||
|
means layers number 2, 3 or 4 inclusive. The hash symbol is required to
|
||||||
|
distinguish a layer range from a slice.
|
||||||
|
|
||||||
==== Membership Operator
|
==== Membership Operator
|
||||||
Wireshark allows you to test a field for membership in a set of values or
|
Wireshark allows you to test a field for membership in a set of values or
|
||||||
fields. After the field name, use the `in` operator followed by the set items
|
fields. After the field name, use the `in` operator followed by the set items
|
||||||
|
|
@ -920,7 +938,7 @@ How ambiguous values are interpreted may change in the future. To avoid this
|
||||||
problem and resolve the ambiguity there is additional syntax available.
|
problem and resolve the ambiguity there is additional syntax available.
|
||||||
Values prefixed with a dot are always treated as a protocol name. The
|
Values prefixed with a dot are always treated as a protocol name. The
|
||||||
dot stands for the root of the protocol namespace and is optional). Values
|
dot stands for the root of the protocol namespace and is optional). Values
|
||||||
prefixed with a colon are always interpreted as a byte array.
|
prefixed with a colon are always interpreted as a byte array.
|
||||||
----
|
----
|
||||||
frame[10:] contains .fc or frame[10] == :fc
|
frame[10:] contains .fc or frame[10] == :fc
|
||||||
----
|
----
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue