forked from osmocom/wireshark
Add documentation for display filter raw string syntax
This commit is contained in:
parent
35f5c116ca
commit
586535bdb8
|
@ -232,7 +232,14 @@ double quotes.
|
||||||
|
|
||||||
smb.path contains "\\\\SERVER\\SHARE"
|
smb.path contains "\\\\SERVER\\SHARE"
|
||||||
|
|
||||||
looks for \\SERVER\SHARE in "smb.path".
|
looks for \\SERVER\SHARE in "smb.path". This may be more conveniently written
|
||||||
|
as
|
||||||
|
|
||||||
|
smb.path contains r"\\SERVER\SHARE"
|
||||||
|
|
||||||
|
String literals prefixed with 'r' are called "raw strings". Such strings treat
|
||||||
|
backslash as a literal character. Double quotes may still be escaped with
|
||||||
|
backslash but note that backslashes are always preserved in the result.
|
||||||
|
|
||||||
=head2 The slice operator
|
=head2 The slice operator
|
||||||
|
|
||||||
|
|
|
@ -592,6 +592,11 @@ hex \x__hh__ or octal {backslash}__ddd__, where _h_ and _d_ are hex and octal
|
||||||
numerical digits respectively:
|
numerical digits respectively:
|
||||||
+
|
+
|
||||||
`dns.qry.name contains "www.\x77\x69\x72\x65\x73\x68\x61\x72\x6b.org"`
|
`dns.qry.name contains "www.\x77\x69\x72\x65\x73\x68\x61\x72\x6b.org"`
|
||||||
|
+
|
||||||
|
Alternatively a raw string syntax can be used. Such strings are prefixed with `r` or `R` and treat
|
||||||
|
backslash as a literal character.
|
||||||
|
+
|
||||||
|
`http.user_agent matches r"\(X11;"`
|
||||||
|
|
||||||
[[ChWorkFilterExamples]]
|
[[ChWorkFilterExamples]]
|
||||||
|
|
||||||
|
@ -638,6 +643,8 @@ expression it must be escaped (twice) with backslashes.
|
||||||
Another common pitfall is using `\.` instead of `\\.` in a regular expression. The former
|
Another common pitfall is using `\.` instead of `\\.` in a regular expression. The former
|
||||||
will match any character (the backslash is superfluous) while the latter will match a literal dot.
|
will match any character (the backslash is superfluous) while the latter will match a literal dot.
|
||||||
|
|
||||||
|
TIP: Using raw strings avoids most problem with the "matches" operator and double escapes.
|
||||||
|
|
||||||
==== Combining Expressions
|
==== Combining Expressions
|
||||||
|
|
||||||
You can combine filter expressions in Wireshark using the logical operators shown in <<FiltLogOps>>
|
You can combine filter expressions in Wireshark using the logical operators shown in <<FiltLogOps>>
|
||||||
|
@ -773,7 +780,7 @@ string(frame.number) matches "[13579]$"
|
||||||
|
|
||||||
To match IP addresses ending in 255 in a block of subnets (172.16 to 172.31):
|
To match IP addresses ending in 255 in a block of subnets (172.16 to 172.31):
|
||||||
----
|
----
|
||||||
string(ip.dst) matches "^172\\.(1[6-9]|2[0-9]|3[0-1])\\.[0-9]{1,3}\\.255"
|
string(ip.dst) matches r"^172\.(1[6-9]|2[0-9]|3[0-1])\.[0-9]{1,3}\.255"
|
||||||
----
|
----
|
||||||
|
|
||||||
[[ChWorkBuildDisplayFilterMistake]]
|
[[ChWorkBuildDisplayFilterMistake]]
|
||||||
|
|
Loading…
Reference in New Issue