dfilter: make spaces around ".." optional in display filter

For numeric values such as port numbers, "4430..4434" looks more
natural than "4430 .. 4434", so support that.

To make this possible, the display filter syntax needs to be restricted.
Assume that neither field names nor values can contain "..". The display
filter `data contains ..` will now be considered a syntax error and must
be written as `data contains ".."` instead. More generally, all values
that contain ".." must be quoted.

Other than the ".." restriction, the scanner deliberately accepts more
characters that can potentially form invalid input. This is to prevent
accidentally splitting input in multiple tokens.  For example, "9.2." in
"frame.time_delta in {9.2.}" is currently parsed as one token and then
rejected because it cannot be parsed as time. If the scanner was made
stricter, it could treat it as two tokens (floats), "9." and "2." which
has different meaning for the set membership operator.

An unhandled edge case is "1....2" which is parsed as "1 .. ..  2" but
could have been parsed as "1. .. .2" instead. A float with trailing dots
followed by ".." seems sufficiently weird, so rejection is fine.

Ping-Bug: 14180
Change-Id: Ibad8e851b49346c9d470f09d5d6a54defa21bcb9
Reviewed-on: https://code.wireshark.org/review/26960
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>

5 files changed, 21 insertions, 9 deletions

diff --git a/doc/wireshark-filter.pod b/doc/wireshark-filter.pod
index 84754ec173..c54e4ca353 100644
--- a/doc/wireshark-filter.pod
+++ b/doc/wireshark-filter.pod
@@ -294,8 +294,8 @@ To find HTTP requests using the HEAD or GET methods:
 
 The set of values can also contain ranges:
 
-    tcp.port in {443 4430 .. 4434}
-    ip.addr in {10.0.0.5 .. 10.0.0.9 192.168.1.1 .. 192.168.1.9}
+    tcp.port in {443 4430..4434}
+    ip.addr in {10.0.0.5 .. 10.0.0.9 192.168.1.1..192.168.1.9}
     frame.time_delta in {10 .. 10.5}
 
 =head2 Type conversions
diff --git a/docbook/release-notes.asciidoc b/docbook/release-notes.asciidoc
index 0c80e1bcee..f8bc5934af 100644
--- a/docbook/release-notes.asciidoc
+++ b/docbook/release-notes.asciidoc
@@ -40,7 +40,7 @@ The following features are new (or have been significantly updated)
 since version 2.6.0:
 
 * The membership operator now supports ranges, allowing display filters such as
-  `tcp.port in {4430 .. 4434}` to be expressed. See the User's Guide, chapter
+  `tcp.port in {4430..4434}` to be expressed. See the User's Guide, chapter
   _Building display filter expressions_ for details.
 
 //=== Removed Dissectors
diff --git a/docbook/wsug_src/WSUG_chapter_work.asciidoc b/docbook/wsug_src/WSUG_chapter_work.asciidoc
index 57268b1502..473673b8d1 100644
--- a/docbook/wsug_src/WSUG_chapter_work.asciidoc
+++ b/docbook/wsug_src/WSUG_chapter_work.asciidoc
@@ -442,7 +442,7 @@ tcp.port == 80 || tcp.port == 443 || tcp.port == 8080
 
 The set of values can also contain ranges:
 ----
-tcp.port in {443 4430 .. 4434}
+tcp.port in {443 4430..4434}
 ----
 This is not merely a shortcut for `tcp.port == 443 || (tcp.port >= 4430 &&
 tcp.port <= 4434)`. Comparison operators are usually satisfied when any field
@@ -453,7 +453,7 @@ membership operator instead tests the same field against the range condition.
 Sets are not just limited to numbers, other types can be used as well:
 ----
 http.request.method in {"HEAD" "GET"}
-ip.addr in {10.0.0.5 .. 10.0.0.9 192.168.1.1 .. 192.168.1.9}
+ip.addr in {10.0.0.5 .. 10.0.0.9 192.168.1.1..192.168.1.9}
 frame.time_delta in {10 .. 10.5}
 ----
 
diff --git a/epan/dfilter/scanner.l b/epan/dfilter/scanner.l
index 744615a0ec..b53be6f1f3 100644
--- a/epan/dfilter/scanner.l
+++ b/epan/dfilter/scanner.l
@@ -339,11 +339,18 @@ static void mark_lval_deprecated(const char *s);
         return set_lval(TOKEN_UNPARSED, yytext);
 }
 
-[-\+[:alnum:]_.:]+	{
-	/* Is it a field name? */
+		([.][-+[:alnum:]_:]+)+[.]{0,2} |
+[-+[:alnum:]_:]+([.][-+[:alnum:]_:]+)*[.]{0,2} {
+	/* Is it a field name or some other value (float, integer, bytes, ...)? */
 	header_field_info *hfinfo;
 	df_func_def_t *df_func_def;
 
+	/* Trailing dot is allowed for floats, but make sure that trailing ".."
+	 * is interpreted as a token on its own. */
+	if (strstr(yytext, "..")) {
+		yyless(yyleng-2);
+	}
+
 	hfinfo = proto_registrar_get_byname(yytext);
 	if (hfinfo) {
 		/* Yes, it's a field name */
diff --git a/tools/dftestlib/membership.py b/tools/dftestlib/membership.py
index f61bdd5cf8..a52ac9fe03 100644
--- a/tools/dftestlib/membership.py
+++ b/tools/dftestlib/membership.py
@@ -13,7 +13,7 @@ class testMembership(dftest.DFTest):
         self.assertDFilterCount(dfilter, 1)
 
     def test_membership_2_range_match(self):
-        dfilter = 'tcp.port in {80 .. 81}'
+        dfilter = 'tcp.port in {80..81}'
         self.assertDFilterCount(dfilter, 1)
 
     def test_membership_3_range_no_match(self):
@@ -38,5 +38,10 @@ class testMembership(dftest.DFTest):
         self.assertDFilterCount(dfilter, 1)
 
     def test_membership_8_ip_range(self):
-        dfilter = 'ip.addr in { 10.0.0.5 .. 10.0.0.9 }'
+        dfilter = 'ip.addr in { 10.0.0.5 .. 10.0.0.9 10.0.0.1..10.0.0.1 }'
         self.assertDFilterCount(dfilter, 1)
+
+    def test_membership_9_range_weird_float(self):
+        # expression should be parsed as "0.1 .. .7"
+        dfilter = 'frame.time_delta in {0.1...7}'
+        self.assertDFilterCount(dfilter, 0)