diff options
| author | Gerald Combs <gerald@wireshark.org> | 2022-06-07 17:01:36 -0700 |
|---|---|---|
| committer | A Wireshark GitLab Utility <gerald+gitlab-utility@wireshark.org> | 2022-06-08 17:21:58 +0000 |
| commit | 8fa64a4773ffbe6e2ee931eaf9d27d7764e9d0bf (patch) | |
| tree | d7b088db8a1e041ac7bcff77095b1f6a69cecf7d /doc/wireshark-filter.adoc | |
| parent | 4015522162ec8b49bb67eb965bd8b3d11af84424 (diff) | |
Docs: Note that display filter layer numbers start at 1.
Diffstat (limited to 'doc/wireshark-filter.adoc')
| -rw-r--r-- | doc/wireshark-filter.adoc | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/doc/wireshark-filter.adoc b/doc/wireshark-filter.adoc index 002eabd3de..0e534303f7 100644 --- a/doc/wireshark-filter.adoc +++ b/doc/wireshark-filter.adoc @@ -339,11 +339,11 @@ layer operator (#), followed by a decimal number: ip.addr#2 == 192.168.30.40 -matches only the inner (second) layer in the packet. Layers use simple stacking -semantics and protocol layers are counted sequentially, so tcp#2 is the layer -in the stack somewhere above tcp#1. +matches only the inner (second) layer in the packet. +Layers use simple stacking semantics and protocol layers are counted sequentially starting from 1. +For example, in a packet that contains two IPv4 headers, the outer (first) source address can be matched with "ip.src#1" and the inner (second) source address can be matched with "ip.src#2". -For more complicates ranges the same syntax used with slices is valid: +For more complicated ranges the same syntax used with slices is valid: tcp.port#[2-4] @@ -456,7 +456,7 @@ Do not confuse this usage of curly brackets with set membership. An unfortunate quirk in the filter syntax is that the subtraction operator must be preceded by a space character, so "A-B" must be written as "A -B" or "A - B". - + === Protocol field references A variable using a sigil with the form ${some.proto.field} is called a field |