diff options
| author | Peter Wu <peter@lekensteyn.nl> | 2018-04-25 12:09:15 +0200 |
|---|---|---|
| committer | Anders Broman <a.broman58@gmail.com> | 2018-04-25 19:57:15 +0000 |
| commit | e39a30b691a02d1939a50c667b2a83634fb25ceb (patch) | |
| tree | 6f03b6551207cdbff357f803e4beef8f2aa4f1b5 /docbook | |
| parent | 0a0cb440248c3af3c35354a8cf4135e5fced5ada (diff) | |
Document "len" and "count" in wireshark-filter(4) and WSUG
Add missing section on display filter functions to WSUG and make it
consistent with the wireshark-filter(4) manual. "count" was added in
Wireshark 1.12 (bug 9480). "len" was added in Wireshark 1.6.x.
"size" (added in 1.8.x) is not documented since it works like "len",
except that it is not limited to strings and byte arrays. I think that
"len" should be extended to other types while removing "size".
Change-Id: I2c8e2b4a11f007de7852a797bed971af86840b47
Reviewed-on: https://code.wireshark.org/review/27146
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Diffstat (limited to 'docbook')
| -rw-r--r-- | docbook/wsug_src/WSUG_chapter_work.asciidoc | 33 |
1 files changed, 30 insertions, 3 deletions
diff --git a/docbook/wsug_src/WSUG_chapter_work.asciidoc b/docbook/wsug_src/WSUG_chapter_work.asciidoc index 473673b8d1..46e08c001c 100644 --- a/docbook/wsug_src/WSUG_chapter_work.asciidoc +++ b/docbook/wsug_src/WSUG_chapter_work.asciidoc @@ -387,11 +387,11 @@ You can combine filter expressions in Wireshark using the logical operators sho |or |\|\| | Logical OR. `ip.scr==10.0.0.5 or ip.src==192.1.1.1` |xor |^^ | Logical XOR. `tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29` |not |! | Logical NOT. `not llc` -|[...] | | See “Substring Operator” below. +|[...] | | See “Slice Operator” below. |in | | See “Membership Operator” below. |=============== -==== Substring Operator +==== Slice Operator Wireshark allows you to select subsequences of a sequence in rather elaborate ways. After a label you can place a pair of brackets [] containing a comma separated list of range specifiers. @@ -427,7 +427,7 @@ eth.src[0:3,1-2,:4,4:,2] == Wireshark allows you to string together single ranges in a comma separated list to form compound ranges as shown above. -==== Membership Operator. +==== Membership Operator Wireshark allows you to test a field for membership in a set of values or fields. After the field name, use the in operator followed by the set items surrounded by braces {}. @@ -457,6 +457,33 @@ ip.addr in {10.0.0.5 .. 10.0.0.9 192.168.1.1..192.168.1.9} frame.time_delta in {10 .. 10.5} ---- +==== Functions + +The display filter language has a number of functions to convert fields, see +<<DispFunctions>>. + +[[DispFunctions]] +.Display Filter Functions +[options="header",cols="1,4"] +|=============== +|Function|Description +|upper |Converts a string field to uppercase. +|lower |Converts a string field to lowercase. +|len |Returns the byte length of a string or bytes field. +|count |Returns the number of field occurrences in a frame. +|=============== + +The `upper` and `lower` functions can used to force case-insensitive matches: +`lower(http.server) contains "apache"`. + +To find HTTP requests with long request URIs: `len(http.request.uri) > 100`. +Note that the `len` function yields the string length in bytes rather than +(multi-byte) characters. + +Usually an IP frame has only two addresses (source and destination), but in case +of ICMP errors or tunneling, a single packet might contain even more addresses. +These packets can be found with `count(ip.addr) > 2`. + [[ChWorkBuildDisplayFilterMistake]] ==== A Common Mistake |