authorGuy Harris <guy@alum.mit.edu>2019-09-01 13:16:36 -0700
committerGuy Harris <guy@alum.mit.edu>2019-09-01 21:09:55 +0000
Fix the section on Boolean fields to match reality.
Confusing though it might be, a patch-matching expression containing only the name of a Boolean field matches all packets containing that field, regardless of whether the field is true or false; you need to compare the field against 1 to check whether it's true. Change-Id: I615acc4d71964c8474e6f3655ade8814cbe07b22 Reviewed-on: https://code.wireshark.org/review/34422 Petri-Dish: Guy Harris <guy@alum.mit.edu> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <guy@alum.mit.edu>
decimal, octal, or hexadecimal.
- A boolean field is present in the protocol decode only if its value is true. For
- example, `tcp.flags.syn` is present, and thus true, only if the SYN flag is
- present in a TCP segment header.
- The filter expression `tcp.flags.syn` will select only those packets for which
- this flag exists, that is, TCP segments where the segment header contains the
- SYN flag. Similarly, to find source-routed token ring packets, use a filter
- expression of `tr.sr`.
+ Can be 1, if true, or 0, if false.
+ Because an expression containing a field name, but not comparing it
+ with a value, matches all packets that contain that field, an
+ expression such as `tcp.flags.syn` will match all TCP segments
+ containing the flags field, regardless of whether the SYN flag is set.
+ To match only TCP segments in which the SYN flag is set, the
+ expression `tcp.flags.syn == 1` must be used. Similarly, to find
+ source-routed token ring packets, a filter expression of `tr.sr == 1`
+ must be used; `tr.sr` will match all packets not cut short before the
+ source-routed flag.
Ethernet address::
6 bytes separated by a colon (:), dot (.) or dash (-) with one or two bytes between separators: