Display Filter Syntax

Basically, display filter is a subset of the JavaScript expression.

Each packet passes a display filter only if the expression is evaluated as a truthy value.

Name resolution

The name resolution rules of the display filter are slightly different from that of JavaScript.

Top-level name

  1. If the name is $, it is always resolved to the packet itself even if the packet holds $ as a property.

  2. If the packet has a property of the name, it is resolved to the property.

    • e.g. payload is equal to $.payload
  3. If the packet has a layer of the name, it is resolved to the layer.

    • e.g. tcp udp
  4. If the global object has a property of the name, it is resolved to the property.

    • e.g. Math Date
  5. Otherwise, it is resolved to undefined.

Member name

  1. If the object is an instance of Layer and its attrs has a property of the name, it is resolved to the property.

  2. If the packet has a property of the name, it is resolved to the property.

  3. Otherwise, it is resolved to undefined.

Available Expressions

Comparison operators

  • >
  • <
  • >=
  • <=
  • ==
  • !=

Arithmetic operators

  • +
  • -
  • *
  • /
  • %

Bitwise operators

  • &
  • |
  • ^
  • >>
  • <<
  • ~

Logical operators

  • ||
  • &&
  • !

Conditional operator

  • a ? b : c

Literals

  • String "string"
  • Number 1.0 0b1010
  • Boolean true false
  • RegExp /a+/

Property accessors

  • .
  • []

Others

  • create instance new
  • call ()

Examples

   +-------- Packet property
   |
payload.length > 100
 +--------- Protocol name
 |
tcp.ack == 12345
     |
     +--- Protocol attribute
   +-------- Packet property
   |
$.len > 100
|
+---------- Refer a packet explicitly
payload.length > 100

results matching ""

    No results matching ""