Update doco re: display filters.
Add config.h to dependencies for man pages so that correction VERSION number is in the man page. svn path=/trunk/; revision=3110
This commit is contained in:
parent
697cd22723
commit
ba9ca69fe8
|
@ -1,7 +1,7 @@
|
|||
# Makefile.am
|
||||
# Automake file for Ethereal documentation
|
||||
#
|
||||
# $Id: Makefile.am,v 1.8 2000/07/28 20:03:59 gram Exp $
|
||||
# $Id: Makefile.am,v 1.9 2001/03/06 18:38:47 gram Exp $
|
||||
#
|
||||
# Ethereal - Network traffic analyzer
|
||||
# By Gerald Combs <gerald@zing.org>
|
||||
|
@ -22,7 +22,10 @@
|
|||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
|
||||
|
||||
../ethereal.1: ethereal.pod
|
||||
# We include dependencies on ../config.h in order to
|
||||
# capture when $(VERSION) changes.
|
||||
|
||||
../ethereal.1: ethereal.pod ../config.h
|
||||
pod2man ethereal.pod \
|
||||
--center="The Ethereal Network Analyzer" \
|
||||
--release=$(VERSION) \
|
||||
|
@ -31,7 +34,7 @@
|
|||
ethereal.pod: ethereal.pod.template ../ethereal
|
||||
../ethereal -G | $(PERL) $(srcdir)/dfilter2pod.pl $(srcdir)/ethereal.pod.template > ethereal.pod
|
||||
|
||||
../tethereal.1: tethereal.pod
|
||||
../tethereal.1: tethereal.pod ../config.h
|
||||
pod2man tethereal.pod \
|
||||
--center="The Ethereal Network Analyzer" \
|
||||
--release=$(VERSION) \
|
||||
|
@ -40,7 +43,7 @@ ethereal.pod: ethereal.pod.template ../ethereal
|
|||
tethereal.pod: tethereal.pod.template ../tethereal
|
||||
../tethereal -G | $(PERL) $(srcdir)/dfilter2pod.pl $(srcdir)/tethereal.pod.template > tethereal.pod
|
||||
|
||||
../editcap.1: editcap.pod
|
||||
../editcap.1: editcap.pod ../config.h
|
||||
pod2man $(srcdir)/editcap.pod \
|
||||
--center="The Ethereal Network Analyzer" \
|
||||
--release=$(VERSION) \
|
||||
|
|
|
@ -807,53 +807,24 @@ eq, ne, gt, ge, lt, and le. The IPv4 address is stored in host order,
|
|||
so you do not have to worry about how the endianness of an IPv4 address
|
||||
when using it in a display filter.
|
||||
|
||||
Classless InterDomain Routing (CIDR) notation can be used to test if an
|
||||
IPv4 address is in a certain subnet. For example, this display filter
|
||||
will find all packets in the 129.111 Class-B network:
|
||||
|
||||
ip.addr == 129.111.0.0/16
|
||||
|
||||
Remember, the number after the slash represents the number of bits used
|
||||
to represent the network. CIDR notation can also be used with
|
||||
hostnames, in this example of finding IP addresses on the same Class C
|
||||
network as 'sneezy':
|
||||
|
||||
ip.addr eq sneezy/24
|
||||
|
||||
The CIDR notation can only be used on IP addresses or hostnames, not in
|
||||
variable names. So, a display filter like "ip.src/24 == ip.dst/24" is
|
||||
not valid. (yet)
|
||||
|
||||
IPX networks are represented by unsigned 32-bit integers. Most likely
|
||||
you will be using hexadecimal when testing for IPX network values:
|
||||
|
||||
ipx.srcnet == 0xc0a82c00
|
||||
|
||||
A substring operator also exists. You can check the substring
|
||||
A slice operator also exists. You can check the substring
|
||||
(byte-string) of any protocol or field. For example, you can filter on
|
||||
the vendor portion of an ethernet address (the first three bytes) like
|
||||
this:
|
||||
|
||||
eth.src[0:3] == 00:00:83
|
||||
|
||||
Or more simply, since the number of bytes is inherent in the byte-string
|
||||
you provide, you can provide just the offset. The previous example can
|
||||
be stated like this:
|
||||
If the length of your byte-slice is only one byte, then it is still
|
||||
represented in hex, but without the preceding "0x":
|
||||
|
||||
eth.src[0] == 00:00:83
|
||||
llc[3] == aa
|
||||
|
||||
In fact, the only time you need to explicitly provide a length is when
|
||||
you don't provide a byte-string, and are comparing fields against
|
||||
fields:
|
||||
|
||||
fddi.src[0:3] == fddi.dst[0:3]
|
||||
|
||||
If the length of your byte-string is only one byte, then it must be
|
||||
represented in the same way as an unsigned 8-bit integer:
|
||||
|
||||
llc[3] == 0xaa
|
||||
|
||||
You can use the substring operator on a protocol name, too. And
|
||||
You can use the slice operator on a protocol name, too. And
|
||||
remember, the "frame" protocol encompasses the entire packet, allowing
|
||||
you to look at the nth byte of a packet regardless of its frame type
|
||||
(Ethernet, token-ring, etc.).
|
||||
|
@ -862,16 +833,28 @@ you to look at the nth byte of a packet regardless of its frame type
|
|||
ipx[0:2] == ff:ff
|
||||
llc[3:1] eq 0xaa
|
||||
|
||||
Offsets for byte-strings can also be negative, in which case the
|
||||
negative number indicates the number of bytes from the end of the field
|
||||
or protocol that you are testing. Here's how to check the last 4 bytes
|
||||
of a frame:
|
||||
|
||||
frame[-4] == 0.1.2.3
|
||||
The following syntax governs slices:
|
||||
|
||||
or
|
||||
[i:j] i = start_offset, j = length
|
||||
[i-j] i = start_offet, j = end_offset, inclusive.
|
||||
[i] i = start_offset, length = 1
|
||||
[:j] start_offset = 0, length = j
|
||||
[i:] start_offset = i, end_offset = end_of_field
|
||||
|
||||
|
||||
Offsets and lengths can be negative, in which case they indicate the offset from the
|
||||
*end* of the field. Here's how to check the last 4 bytes of a frame:
|
||||
|
||||
frame[-4:4] == 0.1.2.3
|
||||
or
|
||||
frame[-4:] == 0.1.2.3
|
||||
|
||||
|
||||
You can create complex concatenations of slices using the comma operator:
|
||||
|
||||
field[1,3-5,9:] == 01:03:04:05:09:0a:0b
|
||||
|
||||
|
||||
All the above tests can be combined together with logical expressions.
|
||||
These too are expressable in C-like syntax or with English-like
|
||||
|
@ -879,7 +862,6 @@ abbreviations:
|
|||
|
||||
and, && Logical AND
|
||||
or, || Logical OR
|
||||
xor, ^^ Logical XOR
|
||||
not, ! Logical NOT
|
||||
|
||||
Expressions can be grouped by parentheses as well. The following are
|
||||
|
|
Loading…
Reference in New Issue