From c3013565b14df28251bd2f51c1af9418833996e4 Mon Sep 17 00:00:00 2001 From: Uli Heilmeier Date: Mon, 23 Jan 2017 21:58:10 +0100 Subject: WSUG: Display filter: add matches, contains, bitwise_and Added examples for the matches, contains and bitwise_and operators. Most of the text and the examples have been taken from the wiki and the wireshark-filter manpage. Bug: 13320 Change-Id: Icd9a325c05ecd4ecd1cbde8162a4c88cae335d1d Reviewed-on: https://code.wireshark.org/review/19758 Reviewed-by: Anders Broman --- docbook/wsug_src/WSUG_chapter_work.asciidoc | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/docbook/wsug_src/WSUG_chapter_work.asciidoc b/docbook/wsug_src/WSUG_chapter_work.asciidoc index 22713256c3..6047e2ad45 100644 --- a/docbook/wsug_src/WSUG_chapter_work.asciidoc +++ b/docbook/wsug_src/WSUG_chapter_work.asciidoc @@ -292,6 +292,9 @@ You can use English and C-like terms in the same way, they can even be mixed in |lt |< |Less than. `frame.len < 128` |ge |>= |Greater than or equal to. `frame.len ge 0x100` |le |\<= |Less than or equal to. `frame.len <= 0x20` +|contains||Protocol, field or slice contains a value. `sip.To contains "a1762"` +|matches|~|Protocol or text field match Perl regualar expression. `http.host matches "acme\.(org\|com\|net)"` +|bitwise_and|&|Compare bit field value. `tcp.flags & 0x02` |=============== In addition, all protocol fields have a type. <> provides a list @@ -350,6 +353,28 @@ IPv6 address:: Text string:: +http.request.uri == "https://www.wireshark.org/"+ +---- +udp contains 81:60:03 +---- +The example above match packets that contains the 3-byte sequence 0x81, 0x60, +0x03 anywhere in the UDP header or payload. +---- +sip.To contains "a1762" +---- +Above example match packets where SIP To-header contains the string "a1762" +anywhere in the header. +---- +http.host matches "acme\.(org|com|net)" +---- +The example above match HTTP packets where the HOST header contains acme.org or acme.com +or acme.net. Note: Wireshark needs to be built with libpcre in order to be able to use the ++matches+ resp. +~+ operator. +---- +tcp.flags & 0x02 +---- +That expression will match all packets that contain a "tcp.flags" field with the 0x02 bit, +i.e. the SYN bit, set. + ==== Combining expressions You can combine filter expressions in Wireshark using the logical operators shown in <> -- cgit v1.2.1