diff options
| author | Guy Harris <guy@alum.mit.edu> | 2016-09-18 18:48:50 -0700 |
|---|---|---|
| committer | Guy Harris <guy@alum.mit.edu> | 2016-09-19 02:51:13 +0000 |
| commit | d7fe514fc05e95e3a99fd211768de5abdc3f6486 (patch) | |
| tree | 68b3e2a24ee11c7dd223089bc9a21ac9ccae302b /doc/wireshark-filter.pod | |
| parent | 630b64613567c268b2b08966707c81d3ec8661a5 (diff) | |
| download | wireshark-d7fe514fc05e95e3a99fd211768de5abdc3f6486.tar.gz | |
Improve support for single-character fields and filter expressions.
Add an FT_CHAR type, which is like FT_UINT8 except that the value is
displayed as a C-style character constant.
Allow use of C-style character constants in filter expressions; they can
be used in comparisons with all integral types, and in "contains"
operators.
Use that type for some fields that appear (based on the way they're
displayed, or on the use of C-style character constants in their
value_string tables) to be 1-byte characters rather than 8-bit numbers.
Change-Id: I39a9f0dda0bd7f4fa02a9ca8373216206f4d7135
Reviewed-on: https://code.wireshark.org/review/17787
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Diffstat (limited to 'doc/wireshark-filter.pod')
| -rw-r--r-- | doc/wireshark-filter.pod | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/doc/wireshark-filter.pod b/doc/wireshark-filter.pod index db7ba219ba..6ad3874c04 100644 --- a/doc/wireshark-filter.pod +++ b/doc/wireshark-filter.pod @@ -61,7 +61,8 @@ Additional operators exist expressed only in English, not C-like syntax: The "contains" operator allows a filter to search for a sequence of characters, expressed as a string (quoted or unquoted), or bytes, -expressed as a byte array. For example, to search for a given HTTP +expressed as a byte array, or for a single character, expressed as a +C-style character constant. For example, to search for a given HTTP URL in a capture, the following filter can be used: http contains "https://www.wireshark.org" @@ -120,13 +121,18 @@ Each protocol field is typed. The types are: Signed integer, 1, 2, 3, 4, or 8 bytes Time offset Unsigned integer, 1, 2, 3, 4, or 8 bytes + 1-byte ASCII character -An integer may be expressed in decimal, octal, or hexadecimal notation. -The following three display filters are equivalent: +An integer may be expressed in decimal, octal, or hexadecimal notation, +or as a C-style character constant. The following six display filters +are equivalent: frame.pkt_len > 10 frame.pkt_len > 012 frame.pkt_len > 0xa + frame.pkt_len > '\n' + frame.pkt_len > '\xa' + frame.pkt_len > '\012' Boolean values are either true or false. In a display filter expression testing the value of a Boolean field, "true" is expressed as 1 or any |