It is easy to think of the 'né' and 'EQ' operators as having an implicit “exists” modifier when dealing with multiply-recurring fields. Similarly, filtering for all WSP GET and extended GET methods is achieved with: Remember that whenever a protocol or field name occurs in an expression, the “exists” operator is implicitly called.Ī special caveat must be given regarding fields that occur more than once per packet. The bitwise AND operation allows testing to see if one or more bits are set. If a field is a text string or a byte array, it can be expressed in whichever way is most convenient. A field may be checked for matches against a set of values simply with the membership operator. The “frame” protocol can be useful, encompassing all the data captured by Wireshark or Shark. IPv4 addresses can be represented in either dotted decimal notation or by using the hostname: IPv4 addresses can be compared with the same logical relations as numbers: EQ, né, gt, GE, Lt, and LE.ĬDR notation can also be used with hostnames, as in this example of finding IP addresses on the same Class C network as 'sneeze': The CDR notation can only be used on IP addresses or hostnames, not in variable names. For example, a token-ring packet's source route field is Boolean. Integer fields are converted to their decimal representation.Īn integer may be expressed in decimal, octal, or hexadecimal notation, or as a C-style character constant. Upper() and lower() are useful for performing case-insensitive string comparisons. The “matches” or “~” operator allows a filter to apply to a specified Perl-compatible regular expression (Pure). The “contains” operator cannot be used on atomic fields, such as numbers or IP addresses. Think of a protocol or field in a filter as implicitly having the “exists” operator.
The simplest filter allows you to check for the existence of a protocol or field.
0 kommentar(er)
