From ba9ca69fe8b224464594325c81db5ef469358ea5 Mon Sep 17 00:00:00 2001 From: Gilbert Ramirez Date: Tue, 6 Mar 2001 18:38:47 +0000 Subject: [PATCH] Update doco re: display filters. Add config.h to dependencies for man pages so that correction VERSION number is in the man page. svn path=/trunk/; revision=3110 --- doc/Makefile.am | 11 ++++--- doc/ethereal.pod.template | 64 ++++++++++++++------------------------- 2 files changed, 30 insertions(+), 45 deletions(-) diff --git a/doc/Makefile.am b/doc/Makefile.am index 74c1c9e1ee..7d184702d4 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -1,7 +1,7 @@ # Makefile.am # Automake file for Ethereal documentation # -# $Id: Makefile.am,v 1.8 2000/07/28 20:03:59 gram Exp $ +# $Id: Makefile.am,v 1.9 2001/03/06 18:38:47 gram Exp $ # # Ethereal - Network traffic analyzer # By Gerald Combs @@ -22,7 +22,10 @@ # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -../ethereal.1: ethereal.pod +# We include dependencies on ../config.h in order to +# capture when $(VERSION) changes. + +../ethereal.1: ethereal.pod ../config.h pod2man ethereal.pod \ --center="The Ethereal Network Analyzer" \ --release=$(VERSION) \ @@ -31,7 +34,7 @@ ethereal.pod: ethereal.pod.template ../ethereal ../ethereal -G | $(PERL) $(srcdir)/dfilter2pod.pl $(srcdir)/ethereal.pod.template > ethereal.pod -../tethereal.1: tethereal.pod +../tethereal.1: tethereal.pod ../config.h pod2man tethereal.pod \ --center="The Ethereal Network Analyzer" \ --release=$(VERSION) \ @@ -40,7 +43,7 @@ ethereal.pod: ethereal.pod.template ../ethereal tethereal.pod: tethereal.pod.template ../tethereal ../tethereal -G | $(PERL) $(srcdir)/dfilter2pod.pl $(srcdir)/tethereal.pod.template > tethereal.pod -../editcap.1: editcap.pod +../editcap.1: editcap.pod ../config.h pod2man $(srcdir)/editcap.pod \ --center="The Ethereal Network Analyzer" \ --release=$(VERSION) \ diff --git a/doc/ethereal.pod.template b/doc/ethereal.pod.template index aeb42aa8f7..ef474c77f7 100644 --- a/doc/ethereal.pod.template +++ b/doc/ethereal.pod.template @@ -807,53 +807,24 @@ eq, ne, gt, ge, lt, and le. The IPv4 address is stored in host order, so you do not have to worry about how the endianness of an IPv4 address when using it in a display filter. -Classless InterDomain Routing (CIDR) notation can be used to test if an -IPv4 address is in a certain subnet. For example, this display filter -will find all packets in the 129.111 Class-B network: - - ip.addr == 129.111.0.0/16 - -Remember, the number after the slash represents the number of bits used -to represent the network. CIDR notation can also be used with -hostnames, in this example of finding IP addresses on the same Class C -network as 'sneezy': - - ip.addr eq sneezy/24 - -The CIDR notation can only be used on IP addresses or hostnames, not in -variable names. So, a display filter like "ip.src/24 == ip.dst/24" is -not valid. (yet) - IPX networks are represented by unsigned 32-bit integers. Most likely you will be using hexadecimal when testing for IPX network values: ipx.srcnet == 0xc0a82c00 -A substring operator also exists. You can check the substring +A slice operator also exists. You can check the substring (byte-string) of any protocol or field. For example, you can filter on the vendor portion of an ethernet address (the first three bytes) like this: eth.src[0:3] == 00:00:83 -Or more simply, since the number of bytes is inherent in the byte-string -you provide, you can provide just the offset. The previous example can -be stated like this: +If the length of your byte-slice is only one byte, then it is still +represented in hex, but without the preceding "0x": - eth.src[0] == 00:00:83 + llc[3] == aa -In fact, the only time you need to explicitly provide a length is when -you don't provide a byte-string, and are comparing fields against -fields: - - fddi.src[0:3] == fddi.dst[0:3] - -If the length of your byte-string is only one byte, then it must be -represented in the same way as an unsigned 8-bit integer: - - llc[3] == 0xaa - -You can use the substring operator on a protocol name, too. And +You can use the slice operator on a protocol name, too. And remember, the "frame" protocol encompasses the entire packet, allowing you to look at the nth byte of a packet regardless of its frame type (Ethernet, token-ring, etc.). @@ -862,16 +833,28 @@ you to look at the nth byte of a packet regardless of its frame type ipx[0:2] == ff:ff llc[3:1] eq 0xaa -Offsets for byte-strings can also be negative, in which case the -negative number indicates the number of bytes from the end of the field -or protocol that you are testing. Here's how to check the last 4 bytes -of a frame: - frame[-4] == 0.1.2.3 +The following syntax governs slices: -or + [i:j] i = start_offset, j = length + [i-j] i = start_offet, j = end_offset, inclusive. + [i] i = start_offset, length = 1 + [:j] start_offset = 0, length = j + [i:] start_offset = i, end_offset = end_of_field + + +Offsets and lengths can be negative, in which case they indicate the offset from the +*end* of the field. Here's how to check the last 4 bytes of a frame: frame[-4:4] == 0.1.2.3 +or + frame[-4:] == 0.1.2.3 + + +You can create complex concatenations of slices using the comma operator: + + field[1,3-5,9:] == 01:03:04:05:09:0a:0b + All the above tests can be combined together with logical expressions. These too are expressable in C-like syntax or with English-like @@ -879,7 +862,6 @@ abbreviations: and, && Logical AND or, || Logical OR - xor, ^^ Logical XOR not, ! Logical NOT Expressions can be grouped by parentheses as well. The following are