dfilter: Add support for universal quantifiers

Adds the keywords "any" and "all" to implement the quantification to any existing relational operator. Filter: all tcp.port in {100, 2000..3000} Syntax tree: 0 ALL TEST_IN: 1 FIELD(tcp.port) 1 SET(#2): 2 FVALUE(100 <FT_UINT16>) 2 FVALUE(2000 <FT_UINT16>) .. FVALUE(3000 <FT_UINT16>) Instructions: 00000 READ_TREE tcp.port -> reg#0 00001 IF_FALSE_GOTO 5 00002 ALL_EQ reg#0 === 100 <FT_UINT16> 00003 IF_TRUE_GOTO 5 00004 ALL_IN_RANGE reg#0 in { 2000 <FT_UINT16> .. 3000 <FT_UINT16> } 00005 RETURN
author: João Valverde <j@v6e.pt> 2022-04-20 00:04:05 +0100
committer: João Valverde <j@v6e.pt> 2022-05-12 14:26:54 +0100
commit: b602911b31dc98a2b2c835f116396a7beb5fabbc (patch)
tree: 2c0ef0112836885e02db0f6f17df1581cfb1956e /doc
parent: 164f3ce9a28d85811dc86e20a48d2e84cfe06e2b (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/doc/wireshark-filter.adoc b/doc/wireshark-filter.adoc
index 7a6b7339c0..02d9bbb07a 100644
--- a/doc/wireshark-filter.adoc
+++ b/doc/wireshark-filter.adoc
@@ -77,6 +77,16 @@ operators, their aliases and meaning:
         all_eq, ===   All fields must be equal
         any_ne, !==   Any fields must be not equal
 
+The operators "any" or "all" can be used with any comparison operator to make
+the test match any or all fields:
+
+    all tcp.port > 1024
+
+    any ip.addr != 1.1.1.1
+
+The "any" and "all" modifiers take precedence over comparison operators such
+as "===" and "any_eq".
+
 === Search and match operators
 
 Additional operators exist expressed only in English, not C-like syntax:
author	João Valverde <j@v6e.pt>	2022-04-20 00:04:05 +0100
committer	João Valverde <j@v6e.pt>	2022-05-12 14:26:54 +0100
commit	b602911b31dc98a2b2c835f116396a7beb5fabbc (patch)
tree	2c0ef0112836885e02db0f6f17df1581cfb1956e /doc
parent	164f3ce9a28d85811dc86e20a48d2e84cfe06e2b (diff)