From 820faa177737a0735e7d9e4a88f0e0caee449a1c Mon Sep 17 00:00:00 2001 From: Chuck Craft Date: Fri, 25 Jun 2021 14:37:57 -0500 Subject: docs: wireshark-filter - update man page --- doc/wireshark-filter.pod | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) (limited to 'doc') diff --git a/doc/wireshark-filter.pod b/doc/wireshark-filter.pod index 52b4ae4cc3..231c3d6a21 100644 --- a/doc/wireshark-filter.pod +++ b/doc/wireshark-filter.pod @@ -11,10 +11,10 @@ wireshark-filter - Wireshark display filter syntax and reference =head1 SYNOPSIS B [other options] -S<[ B<-Y> "display filter expression" | b<--display-filter> "display filter expression" ]> +S<[ B<-Y> "display filter expression" | B<--display-filter> "display filter expression" ]> B [other options] -S<[ B<-Y> "display filter expression" ]> +S<[ B<-Y> "display filter expression" | B<--display-filter> "display filter expression" ]> =head1 DESCRIPTION @@ -81,14 +81,14 @@ implemented for protocols and for protocol fields with a text string representation. Matches are case-insensitive by default. For example, to search for a given WAP WSP User-Agent, you can write: - wsp.user_agent matches "cldc" + wsp.header.user_agent matches "cldc" This would match "cldc", "CLDC", "cLdC" or any other combination of upper and lower case letters. You can force case sensitivity using - wsp.user_agent matches "(?-i)cldc" + wsp.header.user_agent matches "(?-i)cldc" This is an example of PCRE's B<(?>optionB<)> construct. B<(?-i)> performs a case-sensitive pattern match but other options can be specified as well. More @@ -150,12 +150,12 @@ An integer may be expressed in decimal, octal, or hexadecimal notation, or as a C-style character constant. The following six display filters are equivalent: - frame.pkt_len > 10 - frame.pkt_len > 012 - frame.pkt_len > 0xa - frame.pkt_len > '\n' - frame.pkt_len > '\xa' - frame.pkt_len > '\012' + frame.len > 10 + frame.len > 012 + frame.len > 0xa + frame.len > '\n' + frame.len > '\x0a' + frame.len > '\012' Boolean values are either true or false. In a display filter expression testing the value of a Boolean field, "true" is expressed as 1 or any @@ -180,8 +180,8 @@ digits. The hex digits may be separated by colons, periods, or hyphens: IPv4 addresses can be represented in either dotted decimal notation or by using the hostname: - ip.dst eq www.mit.edu ip.src == 192.168.1.1 + ip.dst eq www.mit.edu IPv4 addresses can be compared with the same logical relations as numbers: eq, ne, gt, ge, lt, and le. The IPv4 address is stored in host order, @@ -197,7 +197,7 @@ will find all packets in the 129.111 Class-B network: Remember, the number after the slash represents the number of bits used to represent the network. CIDR notation can also be used with hostnames, as in this example of finding IP addresses on the same Class C -network as 'sneezy': +network as 'sneezy' (requires that 'sneezy' resolve to an IP address for filter to be valid): ip.addr eq sneezy/24 @@ -284,7 +284,7 @@ or A slice is always compared against either a string or a byte sequence. As a special case, when the slice is only 1 byte wide, you can compare -it against a hex integer that 0xff or less (which means it fits inside +it against a hex integer that is 0xff or less (which means it fits inside one byte). This is not allowed for byte sequences greater than one byte, because then one would need to specify the endianness of the multi-byte integer. Also, this is not allowed for decimal numbers, since they @@ -450,7 +450,7 @@ The online Display Filter Reference: L =item * -I in Wireshark +I in Wireshark =item * @@ -464,7 +464,7 @@ The Wireshark wiki: L manpage is part of the B distribution. +The B manpage is part of the B distribution. The latest version of B can be found at L. -- cgit v1.2.3