dfilter: add string() function.

This function can convert non-string fields into strings. This allows the
user to apply string functions (like contains and matches) to non-string fields.

Examples:

string(frame.number) matches "[13579]$" => for odd frames
string(eth.dst) matches "aa\.bb\.cc\.dd\.ee\..." => to match a group of stations
string(snmp.name) matches "^1.2.3.4" => for all OIDs under a specific node

Change-Id: I18173f50ba5314ecdcd1e4b66c7e8ba5b44257ee
Reviewed-on: https://code.wireshark.org/review/31427
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>

1 files changed, 10 insertions, 0 deletions

diff --git a/doc/wireshark-filter.pod b/doc/wireshark-filter.pod
index 98e5c60383..b3d7d2cc04 100644
--- a/doc/wireshark-filter.pod
+++ b/doc/wireshark-filter.pod
@@ -103,6 +103,7 @@ The filter language has the following functions:
     lower(string-field) - converts a string field to lowercase
     len(field)          - returns the byte length of a string or bytes field
     count(field)        - returns the number of field occurrences in a frame
+    string(field)       - converts a non-string field to string
 
 upper() and lower() are useful for performing case-insensitive string
 comparisons. For example:
@@ -110,6 +111,15 @@ comparisons. For example:
     upper(ncp.nds_stream_name) contains "MACRO"
     lower(mount.dump.hostname) == "angel"
 
+string() converts a field value to a string, suitable for use with operators like
+"matches" or "contains". Integer fields are converted to their decimal representation.
+It can be used with IP/Ethernet addresses (as well as others), but not with string or
+byte fields. For example:
+
+    string(frame.number) matches "[13579]$"
+
+gives you all the odd packets.
+
 =head2 Protocol field types
 
 Each protocol field is typed. The types are: