diff options
author | Jeffrey Smith <whydoubt@gmail.com> | 2015-08-18 22:03:41 -0500 |
---|---|---|
committer | Anders Broman <a.broman58@gmail.com> | 2015-09-11 06:31:33 +0000 |
commit | 80322d88da92969c170c915e93a33a96e12497a7 (patch) | |
tree | 516e0c526cda1291b5c2a376d40f4fb80b6ddc98 /doc | |
parent | 86d8b8d7bfd3c76d646907d5549e552519ea8261 (diff) |
dfilter: Add membership operator
Added a new relational test: 'x in {a b c}'. The only LHS entity
supported at this time is a field. The generated DFVM operations are
equivalent to an OR'ed series of =='s, but with the redundant existence
tests removed.
Change-Id: Iddc89b81cf7ad6319aef1a2a94f93314cb721a8a
Reviewed-on: https://code.wireshark.org/review/10246
Reviewed-by: Hadriel Kaplan <hadrielk@yahoo.com>
Petri-Dish: Hadriel Kaplan <hadrielk@yahoo.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/README.display_filter | 1 | ||||
-rw-r--r-- | doc/wireshark-filter.pod | 12 | ||||
-rw-r--r-- | doc/wireshark.pod.template | 2 |
3 files changed, 14 insertions, 1 deletions
diff --git a/doc/README.display_filter b/doc/README.display_filter index 459e3fb512..ce1df39e91 100644 --- a/doc/README.display_filter +++ b/doc/README.display_filter @@ -228,6 +228,7 @@ typedef enum { STTYPE_INTEGER, STTYPE_RANGE, STTYPE_FUNCTION, + STTYPE_SET, STTYPE_NUM_TYPES } sttype_id_t; diff --git a/doc/wireshark-filter.pod b/doc/wireshark-filter.pod index 94a47e9b20..db7ba219ba 100644 --- a/doc/wireshark-filter.pod +++ b/doc/wireshark-filter.pod @@ -264,6 +264,18 @@ Slices can be combined. You can concatenate them using the comma operator: This concatenates offset 1, offsets 3-5, and offset 9 to the end of the ftp data. +=head2 The membership operator + +A field may be checked for matches against a set of values simply with the +membership operator. For instance, you may find traffic on common HTTP/HTTPS +ports with the following filter: + + tcp.port in {80 443 8080} + +as opposed to the more verbose: + + tcp.port == 80 or tcp.port == 443 or tcp.port == 8080 + =head2 Type conversions If a field is a text string or a byte array, it can be expressed in whichever diff --git a/doc/wireshark.pod.template b/doc/wireshark.pod.template index 0e6a357639..dd868f87ce 100644 --- a/doc/wireshark.pod.template +++ b/doc/wireshark.pod.template @@ -1912,7 +1912,7 @@ I<View:Main Toolbar>. A display filter can be entered into the filter toolbar. A filter for HTTP, HTTPS, and DNS traffic might look like this: - tcp.port == 80 || tcp.port == 443 || tcp.port == 53 + tcp.port in {80 443 53} Selecting the I<Filter:> button lets you choose from a list of named filters that you can optionally save. Pressing the Return or Enter |