Age | Commit message (Collapse) | Author | Files | Lines |
|
Clarify *display* filter, add link to User's Guide, and update to https.
Change-Id: I9a2152213cf5b4cb3daf15e62c73074524d92f94
Reviewed-on: https://code.wireshark.org/review/32912
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
This function can convert non-string fields into strings. This allows the
user to apply string functions (like contains and matches) to non-string fields.
Examples:
string(frame.number) matches "[13579]$" => for odd frames
string(eth.dst) matches "aa\.bb\.cc\.dd\.ee\..." => to match a group of stations
string(snmp.name) matches "^1.2.3.4" => for all OIDs under a specific node
Change-Id: I18173f50ba5314ecdcd1e4b66c7e8ba5b44257ee
Reviewed-on: https://code.wireshark.org/review/31427
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
|
|
Change-Id: If6bcf2ce9754453cfff434dde67b682761b37231
Reviewed-on: https://code.wireshark.org/review/31394
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
We've set "=encoding utf8" in wireshark.pod for a long time. Do so in
the rest of our .pod files.
Change-Id: I3ef0fb3a88ed63275b4ff4362b6afbf13d79a0bc
Reviewed-on: https://code.wireshark.org/review/29182
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
|
|
Add missing section on display filter functions to WSUG and make it
consistent with the wireshark-filter(4) manual. "count" was added in
Wireshark 1.12 (bug 9480). "len" was added in Wireshark 1.6.x.
"size" (added in 1.8.x) is not documented since it works like "len",
except that it is not limited to strings and byte arrays. I think that
"len" should be extended to other types while removing "size".
Change-Id: I2c8e2b4a11f007de7852a797bed971af86840b47
Reviewed-on: https://code.wireshark.org/review/27146
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
For numeric values such as port numbers, "4430..4434" looks more
natural than "4430 .. 4434", so support that.
To make this possible, the display filter syntax needs to be restricted.
Assume that neither field names nor values can contain "..". The display
filter `data contains ..` will now be considered a syntax error and must
be written as `data contains ".."` instead. More generally, all values
that contain ".." must be quoted.
Other than the ".." restriction, the scanner deliberately accepts more
characters that can potentially form invalid input. This is to prevent
accidentally splitting input in multiple tokens. For example, "9.2." in
"frame.time_delta in {9.2.}" is currently parsed as one token and then
rejected because it cannot be parsed as time. If the scanner was made
stricter, it could treat it as two tokens (floats), "9." and "2." which
has different meaning for the set membership operator.
An unhandled edge case is "1....2" which is parsed as "1 .. .. 2" but
could have been parsed as "1. .. .2" instead. A float with trailing dots
followed by ".." seems sufficiently weird, so rejection is fine.
Ping-Bug: 14180
Change-Id: Ibad8e851b49346c9d470f09d5d6a54defa21bcb9
Reviewed-on: https://code.wireshark.org/review/26960
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
Allow "tcp.srcport in {1662 1663 1664}" to be abbreviated to
"tcp.srcport in {1662 .. 1664}". The range operator is supported for any
field value which supports the "<=" and "=>" operators and thus works
for integers, IP addresses, etc.
The naive mapping "tcp.srcport >= 1662 and tcp.srcport <= 1664" is not
used because it does not have the intended effect with fields that have
multiple occurrences (e.g. tcp.port). Each condition could be satisfied
by an other value. Therefore a new DVFM instruction (ANY_IN_RANGE) is
added to test the range condition against each individual field value.
Bug: 14180
Change-Id: I53c2d0f9bc9d4f0ffaabde9a83442122965c95f7
Reviewed-on: https://code.wireshark.org/review/26945
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
Make the "matches" operator case-insensitive by default. Case
sensitivity can be switched back on using "(?-i)".
It might be nice to make "contains" case-insensitive as well, but we'd
need a caseless version of epan_memmem.
Change-Id: I5e39a52c148477c30c808152bcace08348df815a
Reviewed-on: https://code.wireshark.org/review/22330
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
The tilde (~) operator was missing as an alternative for matches.
Bug: 13320
Change-Id: Idb96c802145dcdd0d9ffc196b32370cadd8735b3
Reviewed-on: https://code.wireshark.org/review/19723
Reviewed-by: Michael Mann <mmann78@netscape.net>
|
|
Add an FT_CHAR type, which is like FT_UINT8 except that the value is
displayed as a C-style character constant.
Allow use of C-style character constants in filter expressions; they can
be used in comparisons with all integral types, and in "contains"
operators.
Use that type for some fields that appear (based on the way they're
displayed, or on the use of C-style character constants in their
value_string tables) to be 1-byte characters rather than 8-bit numbers.
Change-Id: I39a9f0dda0bd7f4fa02a9ca8373216206f4d7135
Reviewed-on: https://code.wireshark.org/review/17787
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
Added a new relational test: 'x in {a b c}'. The only LHS entity
supported at this time is a field. The generated DFVM operations are
equivalent to an OR'ed series of =='s, but with the redundant existence
tests removed.
Change-Id: Iddc89b81cf7ad6319aef1a2a94f93314cb721a8a
Reviewed-on: https://code.wireshark.org/review/10246
Reviewed-by: Hadriel Kaplan <hadrielk@yahoo.com>
Petri-Dish: Hadriel Kaplan <hadrielk@yahoo.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
|
|
Most of our sites are now HTTPS-only. Update URLs accordingly. Update
other URLs while we're at it. Remove or comment out dead links.
Change-Id: I7c4f323e6585d22760bb90bf28fc0faa6b893a33
Reviewed-on: https://code.wireshark.org/review/7621
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
|
|
Change-Id: I9bfc57cb6b6ab6962b80ff58d98eb351d6f69829
Reviewed-on: https://code.wireshark.org/review/4140
Reviewed-by: Gerald Combs <gerald@wireshark.org>
|
|
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9591
svn path=/trunk/; revision=54387
|
|
svn path=/trunk/; revision=49837
|
|
fix the perldoc link. Maybe someone else can figure out how to also fix:
http contains "http://www.wireshark.org"
Either the hyperlink should be made to work correctly by not including the
trailing quote as part of the link, or simply change it so it's not hyperlinked
at all. Also, it should display a terminating semi-colon as follows:
http contains "http://www.wireshark.org";
svn path=/trunk/; revision=45035
|
|
svn path=/trunk/; revision=43371
|
|
using a normal hex string would be nice
svn path=/trunk/; revision=41232
|
|
Refer to pcap-filter and mention tcpdump only as a fallback.
svn path=/trunk/; revision=40820
|
|
descriptions. Captitalize and fix up the descriptions. Use its output to
create the field type list in the wireshark-filter man page.
svn path=/trunk/; revision=40306
|
|
do.
svn path=/trunk/; revision=35079
|
|
svn path=/trunk/; revision=34816
|
|
wireshark-filter man page. Point to other sources for the list instead.
svn path=/trunk/; revision=33539
|