dfilter: Add max()/min() tests and documentation

CMakeLists.txt

@@ -3826,7 +3826,7 @@ set(_test_group_list
 	suite_dfilter.group_bytes_ipv6
 	suite_dfilter.group_bytes_type
 	suite_dfilter.group_double
-	suite_dfilter.group_dfunction_string
+	suite_dfilter.group_function
 	suite_dfilter.group_integer
 	suite_dfilter.group_integer_1byte
 	suite_dfilter.group_ipv4

doc/wireshark-filter.adoc

@@ -128,6 +128,8 @@ The filter language has the following functions:
     len(field)          - returns the byte length of a string or bytes field
     count(field)        - returns the number of field occurrences in a frame
     string(field)       - converts a non-string field to string
+    max(f1,...,fn)      - return the maximum value
+    min(f1,...,fn)      - return the minimum value
 
 upper() and lower() are useful for performing case-insensitive string
 comparisons. For example:
@@ -144,6 +146,9 @@ byte fields. For example:
 
 gives you all the odd packets.
 
+max() and min() take any number of arguments and returns one value, respectively
+the largest/smallest. The arguments must all have the same type.
+
 === Protocol field types
 
 Each protocol field is typed. The types are:

docbook/release-notes.adoc

@@ -68,6 +68,7 @@ They previously shipped with Npcap 1.55.
 ** Arithmetic is supported for numeric fields with the usual operators: +, -, *, /, %. Arithmetic expressions must be grouped using
    curly brackets (not parenthesis).
 ** Logical AND now has higher precedence than logical OR, in line with most programming languages.
+** Adds new display filter functions max() and min().
 
 * text2pcap and "Import from Hex Dump":
 ** text2pcap supports writing the output file in all the capture file formats

docbook/wsug_src/WSUG_chapter_work.adoc

@@ -811,6 +811,8 @@ The display filter language has a number of functions to convert fields, see
 |len     |Returns the byte length of a string or bytes field.
 |count   |Returns the number of field occurrences in a frame.
 |string  |Converts a non-string field to a string.
+|max     |Return the maximum value for the arguments.
+|min     |Return the minimum value for the arguments.
 |===
 
 The `upper` and `lower` functions can used to force case-insensitive matches:
@@ -839,6 +841,13 @@ To match IP addresses ending in 255 in a block of subnets (172.16 to 172.31):
 string(ip.dst) matches r"^172\.(1[6-9]|2[0-9]|3[0-1])\.[0-9]{1,3}\.255"
 ----
 
+The functions max() and min() take any number of arguments of the same type
+and returns the largest/smallest respectively of the set.
+
+----
+max(tcp.srcport, tcp.dstport) <= 1024
+----
+
 [#ChWorkBuildDisplayFilterTransitional]
 
 ==== Sometimes Fields Change Names

test/suite_dfilter/group_function.py

@@ -41,3 +41,27 @@ class case_dfunction_string(unittest.TestCase):
         dfilter = "string(dhcp.option.value) == \"hostname\""
         error = 'String conversion for field "dhcp.option.value" is not supported'
         checkDFilterFail(dfilter, error)
+
+@fixtures.uses_fixtures
+class case_dfunction_maxmin(unittest.TestCase):
+    trace_file = "sip.pcapng"
+
+    def test_min_1(self, checkDFilterCount):
+        dfilter = 'min(udp.srcport, udp.dstport) == 5060'
+        checkDFilterCount(dfilter, 5)
+
+    def test_min_2(self, checkDFilterCount):
+        dfilter = 'min(udp.srcport, udp.dstport) == 5070'
+        checkDFilterCount(dfilter, 0)
+
+    def test_max_1(self, checkDFilterCount):
+        dfilter = 'max(udp.srcport, udp.dstport) == 5070'
+        checkDFilterCount(dfilter, 3)
+
+    def test_max_2(self, checkDFilterCount):
+        dfilter = 'max(udp.srcport, udp.dstport) == 5060'
+        checkDFilterCount(dfilter, 2)
+
+    def test_max_3(self, checkDFilterCount):
+        dfilter = 'max(udp.srcport, udp.dstport) < 5060'
+        checkDFilterCount(dfilter, 1)