From Gilbert Ramirez: When filtering on a single-byte byte-array-slice, using a normal hex string would be nice

svn path=/trunk/; revision=41232
author: Anders Broman <anders.broman@ericsson.com> 2012-02-29 05:58:45 +0000
committer: Anders Broman <anders.broman@ericsson.com> 2012-02-29 05:58:45 +0000
commit: 7f96d94b7c97ba890ba90dd4c55b5d231fd08262 (patch)
tree: 0ff1426afad5cc2f09ab13b46528de9b865d611c /doc/wireshark-filter.pod
parent: 9bdde5216f3ec31d4a02329423708288c57329c3 (diff)
1 files changed, 12 insertions, 1 deletions
diff --git a/doc/wireshark-filter.pod b/doc/wireshark-filter.pod
index c91eb35143..2a878680e6 100644
--- a/doc/wireshark-filter.pod
+++ b/doc/wireshark-filter.pod
@@ -253,7 +253,18 @@ or
 
     frame[-4:] == 0.1.2.3
 
-You can concatenate slices using the comma operator:
+A slice is alwasy compared against either a string or a byte sequence.
+As a special case, when the slice is only 1 byte wide, you can compare
+it against a hex integer that 0xff or less (which means it fits inside
+one byte). This is not allowed for byte sequences greater than one byte,
+because then one would need to specify the endianness of the multi-byte
+integer. Also, this is not allowed for decimal numbers, since they
+would be confused with hex numbers that are already allowed as
+byte strings. Neverthelss, single-byte hex integers can be convienent:
+
+    frame[4] == 0xff
+
+Slices can be combined. You can concatenate them using the comma operator:
 
     ftp[1,3-5,9:] == 01:03:04:05:09:0a:0b
author	Anders Broman <anders.broman@ericsson.com>	2012-02-29 05:58:45 +0000
committer	Anders Broman <anders.broman@ericsson.com>	2012-02-29 05:58:45 +0000
commit	7f96d94b7c97ba890ba90dd4c55b5d231fd08262 (patch)
tree	0ff1426afad5cc2f09ab13b46528de9b865d611c /doc/wireshark-filter.pod
parent	9bdde5216f3ec31d4a02329423708288c57329c3 (diff)