diff options
| author | João Valverde <j@v6e.pt> | 2022-04-04 16:52:11 +0100 |
|---|---|---|
| committer | João Valverde <j@v6e.pt> | 2022-04-08 23:12:04 +0100 |
| commit | fb9a176587454e8168c2ba068d5701332638109c (patch) | |
| tree | a33c89aacf2b52cb122308d4ff718e76b5eefc6d /doc | |
| parent | 73770c61b42577e0c8ad8c8bea5623fec746d0d5 (diff) | |
dfilter: Allow grouping arithmetical expressions with { }
This removes the limitation of having only two terms in an
arithmetic expression and allows setting the precedence using
curly braces (like any basic calculator).
Our grammar currently does not allow grouping arithmetic expressions
using parenthesis, because boolean expressions and arithmetic
expressions are different and parenthesis are used with the former.
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/wireshark-filter.adoc | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/doc/wireshark-filter.adoc b/doc/wireshark-filter.adoc index 048a822529..302477032a 100644 --- a/doc/wireshark-filter.adoc +++ b/doc/wireshark-filter.adoc @@ -399,8 +399,7 @@ have the same number of bytes as the slice itself, as in: === Arithmetic operators -Simple arithmetic expressions are available. The following operators are -supported: +Arithmetic expressions are supported with the usual operators: + Addition - Subtraction @@ -413,6 +412,17 @@ equal by one to the source port with the expression: udp.dstport >= udp.srcport + 1 +It is possible to group arithmetic expressions using curly brackets (parenthesis +will not work for this): + + tcp.dstport >= 4 * {tcp.srcport + 3} + +Do not confuse this usage of curly brackets with set membership. + +An unfortunate quirk in the filter syntax is that the subtraction operator +must be preceded by a space character, so "A-B" must be written as "A -B" +or "A - B". + === Protocol field references A variable using a sigil with the form ${some.proto.field} is called a field |