WSUG: Document the layer operator.

Copy over the "layer operator" section from the wireshark-filter man
page.

Fix the "at operator" level in the wireshark-filter man page.

doc/wireshark-filter.adoc

@@ -388,7 +388,7 @@ For more complicated ranges the same syntax used with slices is valid:
 means layers number 2, 3 or 4 inclusive. The hash symbol is required to
 distinguish a layer range from a slice.
 
-== The at operator
+=== The at operator
 
 By prefixing the field name with an at sign (@) the comparison is done against
 the raw packet data for the field.

docbook/wsug_src/WSUG_chapter_work.adoc

@@ -762,6 +762,24 @@ eth.src[0:3,1-2,:4,4:,2] ==
 Wireshark allows you to string together single ranges in a comma separated list
 to form compound ranges as shown above.
 
+==== The Layer Operator
+
+A field can be restricted to a certain layer in the protocol stack using the
+layer operator (#), followed by a decimal number:
+
+    ip.addr#2 == 192.168.30.40
+
+matches only the inner (second) layer in the packet.
+Layers use simple stacking semantics and protocol layers are counted sequentially starting from 1.
+For example, in a packet that contains two IPv4 headers, the outer (first) source address can be matched with "ip.src#1" and the inner (second) source address can be matched with "ip.src#2".
+
+For more complicated ranges the same syntax used with slices is valid:
+
+    tcp.port#[2-4]
+
+means layers number 2, 3 or 4 inclusive. The hash symbol is required to
+distinguish a layer range from a slice.
+
 ==== Membership Operator
 Wireshark allows you to test a field for membership in a set of values or
 fields. After the field name, use the `in` operator followed by the set items