For numeric values such as port numbers, "4430..4434" looks more
natural than "4430 .. 4434", so support that.
To make this possible, the display filter syntax needs to be restricted.
Assume that neither field names nor values can contain "..". The display
filter `data contains ..` will now be considered a syntax error and must
be written as `data contains ".."` instead. More generally, all values
that contain ".." must be quoted.
Other than the ".." restriction, the scanner deliberately accepts more
characters that can potentially form invalid input. This is to prevent
accidentally splitting input in multiple tokens. For example, "9.2." in
"frame.time_delta in {9.2.}" is currently parsed as one token and then
rejected because it cannot be parsed as time. If the scanner was made
stricter, it could treat it as two tokens (floats), "9." and "2." which
has different meaning for the set membership operator.
An unhandled edge case is "1....2" which is parsed as "1 .. .. 2" but
could have been parsed as "1. .. .2" instead. A float with trailing dots
followed by ".." seems sufficiently weird, so rejection is fine.
Ping-Bug: 14180
Change-Id: Ibad8e851b49346c9d470f09d5d6a54defa21bcb9
Reviewed-on: https://code.wireshark.org/review/26960
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Allow "tcp.srcport in {1662 1663 1664}" to be abbreviated to
"tcp.srcport in {1662 .. 1664}". The range operator is supported for any
field value which supports the "<=" and "=>" operators and thus works
for integers, IP addresses, etc.
The naive mapping "tcp.srcport >= 1662 and tcp.srcport <= 1664" is not
used because it does not have the intended effect with fields that have
multiple occurrences (e.g. tcp.port). Each condition could be satisfied
by an other value. Therefore a new DVFM instruction (ANY_IN_RANGE) is
added to test the range condition against each individual field value.
Bug: 14180
Change-Id: I53c2d0f9bc9d4f0ffaabde9a83442122965c95f7
Reviewed-on: https://code.wireshark.org/review/26945
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Switch from AsciiDoc's smart quotes markup to the quotes themselves,
along with apostrophes.
Change-Id: I78930d6902e2691b6a2cb35ed5bae6fef4bb7257
Reviewed-on: https://code.wireshark.org/review/26108
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Convert some passthrough XML comments left over from the DocBook →
AsciiDoc conversion to AsciiDoc / Asciidoctor comments.
Change-Id: Iaf44bcf0b8a3a383e735b2b4394722cbbb2bdff3
Reviewed-on: https://code.wireshark.org/review/25615
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Switch from AsciiDoc's smart quotes markup to the quotes themselves. Use
double curly quotes in place of singles.
Switch from XML entities to their direct equivalents where we can.
Switch from hex entities to decimal entities where we can't or it's not
convenient. (Asciidoctor PDF doesn't yet handle hex entities).
Change-Id: Iaf5ec33249e1c91b3d50b5d96251763243b72836
Reviewed-on: https://code.wireshark.org/review/25606
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Start using markup that is preferred by Asciidoctor but compatible with
both generators.
Add a missing "cpp" attribute and set a couple of Asciidoctor-specific
compatibility attributes.
Change-Id: Iff4c31362e4493b97a85f46db2c39b18c336536f
Reviewed-on: https://code.wireshark.org/review/25600
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Change the name of the button macro to "btn" in order to be compatible
with AsciiDoctor.
Change-Id: I673e0fe0ae7b343abeb1afba0b9b11402efdf0d6
Reviewed-on: https://code.wireshark.org/review/23187
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Make the "matches" operator case-insensitive by default. Case
sensitivity can be switched back on using "(?-i)".
It might be nice to make "contains" case-insensitive as well, but we'd
need a caseless version of epan_memmem.
Change-Id: I5e39a52c148477c30c808152bcace08348df815a
Reviewed-on: https://code.wireshark.org/review/22330
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Added examples for the matches, contains and bitwise_and operators.
Most of the text and the examples have been taken from the wiki and the
wireshark-filter manpage.
Bug: 13320
Change-Id: Icd9a325c05ecd4ecd1cbde8162a4c88cae335d1d
Reviewed-on: https://code.wireshark.org/review/19758
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Move the replacement definitions in asciidoc.conf to
attributes.asciidoc. This makes the markup a bit cleaner and is more
compatible with AsciiDoctor. Use a standard naming scheme for URLs.
Change-Id: Ica73aaadb013be2a4e6a3963fb54e6db6e02e98f
Reviewed-on: https://code.wireshark.org/review/18655
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Adjust the column widths of some tables to that they render more cleanly
and without FOP warnings. Move some table content to plain text instead
of trying to shove it into table cells. Fix some other layout and
formatting.
Change-Id: I40e40fd7ca5c3cc594ea30c8b1ad233afd4cdca4
Reviewed-on: https://code.wireshark.org/review/17880
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Pass relative image directory paths to xsltproc. The DocBook documentation
says you can use a URI, but trying to get that to work with CMake
and Windows appears to be a path to tears and undignified wails of
frustration.
Add attributes for our different types of images and use them so that
the PDFs don't scale our screenshots to an unusable size.
Change-Id: I786d09d9ef9be3d423b2af426a8867739ae12c1a
Reviewed-on: https://code.wireshark.org/review/17688
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Added a new relational test: 'x in {a b c}'. The only LHS entity
supported at this time is a field. The generated DFVM operations are
equivalent to an OR'ed series of =='s, but with the redundant existence
tests removed.
Change-Id: Iddc89b81cf7ad6319aef1a2a94f93314cb721a8a
Reviewed-on: https://code.wireshark.org/review/10246
Reviewed-by: Hadriel Kaplan <hadrielk@yahoo.com>
Petri-Dish: Hadriel Kaplan <hadrielk@yahoo.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Changes from the GTK+ UI:
- The display filter is built on the fly with immediate syntax feedback.
- Slightly different layout.
- You can search for fields.
Make the plain SyntaxLineEdit a bit more plain.
Bug: 11128
Change-Id: I06a48cd7b9ba7b9dc193b0199540aede4eb62fa7
Reviewed-on: https://code.wireshark.org/review/8742
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
You can open a new packet window in the GTK+ UI by holding down the
shift key and double-clicking on a frame link in the protocol tree. Add
this behavior to the Qt UI. Document the different ways of opening a new
packet window and update the image.
Change-Id: I55caf6cc8089a6c305fafd47b4870e7c69dbfb10
Reviewed-on: https://code.wireshark.org/review/7101
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Leave most of the content intact for now.
Change-Id: Ic264814aa8e442df100ae8533098843ef6a2e6c9
Reviewed-on: https://code.wireshark.org/review/3937
Reviewed-by: Gerald Combs <gerald@wireshark.org>