dfilter: Add syntax to match specific layers in the protocol stack

Add support to display filters for matching a specific layer within a frame.
Layers are counted sequentially up the protocol stack. Each protocol
(dissector) that appears in the stack is one layer.

LINK-LAYER#1 <-> IP#1 <-> TCP#1 <-> IP#2 <-> TCP#2 <-> etc.

The syntax allows for negative indexes and ranges with the usual semantics
for slices (but note that counting starts at one):

    tcp.port#[2-4] == 1024

Matches layers 2 to 4 inclusive.

Fixes #3791.

1 files changed, 18 insertions, 0 deletions

diff --git a/doc/wireshark-filter.adoc b/doc/wireshark-filter.adoc
index 308f708af5..7a6b7339c0 100644
--- a/doc/wireshark-filter.adoc
+++ b/doc/wireshark-filter.adoc
@@ -322,6 +322,24 @@ Slices can be combined. You can concatenate them using the comma operator:
 This concatenates offset 1, offsets 3-5, and offset 9 to the end of the ftp
 data.
 
+=== The layer operator
+
+A field can be restricted to a certain layer in the protocol stack using the
+layer operator (#), followed by a decimal number:
+
+    ip.addr#2 == 192.168.30.40
+
+matches only the inner (second) layer in the packet. Layers use simple stacking
+semantics and protocol layers are counted sequentially, so tcp#2 is the layer
+in the stack somewhere above tcp#1.
+
+For more complicates ranges the same syntax used with slices is valid:
+
+    tcp.port#[2-4]
+
+means layers number 2, 3 or 4 inclusive. The hash symbol is required to
+distinguish a layer range from a slice.
+
 === The membership operator
 
 A field may be checked for matches against a set of values simply with the