forked from osmocom/wireshark
WSUG: Document the layer operator.
Copy over the "layer operator" section from the wireshark-filter man page. Fix the "at operator" level in the wireshark-filter man page.
This commit is contained in:
parent
1505fa1b4b
commit
5084857eed
|
@ -388,7 +388,7 @@ For more complicated ranges the same syntax used with slices is valid:
|
|||
means layers number 2, 3 or 4 inclusive. The hash symbol is required to
|
||||
distinguish a layer range from a slice.
|
||||
|
||||
== The at operator
|
||||
=== The at operator
|
||||
|
||||
By prefixing the field name with an at sign (@) the comparison is done against
|
||||
the raw packet data for the field.
|
||||
|
|
|
@ -762,6 +762,24 @@ eth.src[0:3,1-2,:4,4:,2] ==
|
|||
Wireshark allows you to string together single ranges in a comma separated list
|
||||
to form compound ranges as shown above.
|
||||
|
||||
==== The Layer Operator
|
||||
|
||||
A field can be restricted to a certain layer in the protocol stack using the
|
||||
layer operator (#), followed by a decimal number:
|
||||
|
||||
ip.addr#2 == 192.168.30.40
|
||||
|
||||
matches only the inner (second) layer in the packet.
|
||||
Layers use simple stacking semantics and protocol layers are counted sequentially starting from 1.
|
||||
For example, in a packet that contains two IPv4 headers, the outer (first) source address can be matched with "ip.src#1" and the inner (second) source address can be matched with "ip.src#2".
|
||||
|
||||
For more complicated ranges the same syntax used with slices is valid:
|
||||
|
||||
tcp.port#[2-4]
|
||||
|
||||
means layers number 2, 3 or 4 inclusive. The hash symbol is required to
|
||||
distinguish a layer range from a slice.
|
||||
|
||||
==== Membership Operator
|
||||
Wireshark allows you to test a field for membership in a set of values or
|
||||
fields. After the field name, use the `in` operator followed by the set items
|
||||
|
|
Loading…
Reference in New Issue