Update doco re: display filters.

Add config.h to dependencies for man pages so that correction VERSION number is in the man page. svn path=/trunk/; revision=3110
2001-03-06 18:38:47 +00:00 · 2001-03-06 18:38:47 +00:00 · ba9ca69fe8
parent 697cd22723
commit ba9ca69fe8
2 changed files with 30 additions and 45 deletions
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@ -1,7 +1,7 @@
 # Makefile.am
 # Automake file for Ethereal documentation
 #
-# $Id: Makefile.am,v 1.8 2000/07/28 20:03:59 gram Exp $
+# $Id: Makefile.am,v 1.9 2001/03/06 18:38:47 gram Exp $
 #
 # Ethereal - Network traffic analyzer
 # By Gerald Combs <gerald@zing.org>
@ -22,7 +22,10 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.

-../ethereal.1: ethereal.pod
+# We include dependencies on ../config.h in order to
+# capture when $(VERSION) changes.
+
+../ethereal.1: ethereal.pod ../config.h
 	pod2man ethereal.pod                     \
 	--center="The Ethereal Network Analyzer" \
 	--release=$(VERSION)			 \
@ -31,7 +34,7 @@
 ethereal.pod: ethereal.pod.template  ../ethereal
 	../ethereal -G | $(PERL) $(srcdir)/dfilter2pod.pl $(srcdir)/ethereal.pod.template > ethereal.pod

-../tethereal.1: tethereal.pod
+../tethereal.1: tethereal.pod ../config.h
 	pod2man tethereal.pod                     \
 	--center="The Ethereal Network Analyzer" \
 	--release=$(VERSION)			 \
@ -40,7 +43,7 @@ ethereal.pod: ethereal.pod.template  ../ethereal
 tethereal.pod: tethereal.pod.template  ../tethereal
 	../tethereal -G | $(PERL) $(srcdir)/dfilter2pod.pl $(srcdir)/tethereal.pod.template > tethereal.pod

-../editcap.1: editcap.pod
+../editcap.1: editcap.pod ../config.h
 	pod2man $(srcdir)/editcap.pod                     \
 	--center="The Ethereal Network Analyzer" \
 	--release=$(VERSION)			 \
--- a/doc/ethereal.pod.template
+++ b/doc/ethereal.pod.template
@ -807,53 +807,24 @@ eq, ne, gt, ge, lt, and le.  The IPv4 address is stored in host order,
 so you do not have to worry about how the endianness of an IPv4 address
 when using it in a display filter.

-Classless InterDomain Routing (CIDR) notation can be used to test if an
-IPv4 address is in a certain subnet.  For example, this display filter
-will find all packets in the 129.111 Class-B network:
-
-    ip.addr == 129.111.0.0/16
-
-Remember, the number after the slash represents the number of bits used
-to represent the network.  CIDR notation can also be used with
-hostnames, in this example of finding IP addresses on the same Class C
-network as 'sneezy':
-
-    ip.addr eq sneezy/24
-
-The CIDR notation can only be used on IP addresses or hostnames, not in
-variable names.  So, a display filter like "ip.src/24 == ip.dst/24" is
-not valid.  (yet)
-
 IPX networks are represented by unsigned 32-bit integers.  Most likely
 you will be using hexadecimal when testing for IPX network values:

    ipx.srcnet == 0xc0a82c00

-A substring operator also exists.  You can check the substring
+A slice operator also exists.  You can check the substring
 (byte-string) of any protocol or field.  For example, you can filter on
 the vendor portion of an ethernet address (the first three bytes) like
 this:

    eth.src[0:3] == 00:00:83

-Or more simply, since the number of bytes is inherent in the byte-string
-you provide, you can provide just the offset.  The previous example can
-be stated like this:
+If the length of your byte-slice is only one byte, then it is still
+represented in hex, but without the preceding "0x": 

-    eth.src[0] == 00:00:83
+    llc[3] == aa

-In fact, the only time you need to explicitly provide a length is when
-you don't provide a byte-string, and are comparing fields against
-fields:
-
-    fddi.src[0:3] == fddi.dst[0:3]
-
-If the length of your byte-string is only one byte, then it must be
-represented in the same way as an unsigned 8-bit integer:
-
-    llc[3] == 0xaa
-
-You can use the substring operator on a protocol name, too.  And
+You can use the slice operator on a protocol name, too.  And
 remember, the "frame" protocol encompasses the entire packet, allowing
 you to look at the nth byte of a packet regardless of its frame type
 (Ethernet, token-ring, etc.).
@ -862,16 +833,28 @@ you to look at the nth byte of a packet regardless of its frame type
    ipx[0:2] == ff:ff
    llc[3:1] eq 0xaa

-Offsets for byte-strings can also be negative, in which case the
-negative number indicates the number of bytes from the end of the field
-or protocol that you are testing.  Here's how to check the last 4 bytes
-of a frame:

-    frame[-4] == 0.1.2.3
+The following syntax governs slices:

-or
+	[i:j]	i = start_offset, j = length
+	[i-j]	i = start_offet, j = end_offset, inclusive.
+	[i]	i = start_offset, length = 1
+	[:j]	start_offset = 0, length = j
+	[i:]	start_offset = i, end_offset = end_of_field
+
+
+Offsets and lengths can be negative, in which case they indicate the offset from the
+*end* of the field.  Here's how to check the last 4 bytes of a frame:

    frame[-4:4] == 0.1.2.3
+or
+    frame[-4:] == 0.1.2.3
+
+
+You can create complex concatenations of slices using the comma operator:
+
+	field[1,3-5,9:] == 01:03:04:05:09:0a:0b
+

 All the above tests can be combined together with logical expressions. 
 These too are expressable in C-like syntax or with English-like
@ -879,7 +862,6 @@ abbreviations:

    and, &&   Logical AND
    or, ||    Logical OR
-    xor, ^^   Logical XOR
    not, !    Logical NOT

 Expressions can be grouped by parentheses as well.  The following are