dfilter: Add syntax to match specific layers in the protocol stack (!6759) · Merge requests · Wireshark Foundation / Wireshark

João Valverde requested to merge jvalverde/wireshark:dfilter-layers into master Apr 20, 2022

Add support to display filters for matching a specific layer within a frame. Layers are counted sequentially up the protocol stack. Each protocol (dissector) that appears in the stack is one layer.

LINK-LAYER#1 <-> IP#1 <-> TCP#1 <-> IP#2 <-> TCP#2 <-> etc.

The syntax allows for negative indexes and ranges with the usual semantics for slices (but note that counting starts at one):

 tcp.port#[2-4] == 1024

Matches layers 2 to 4 inclusive.

Fixes #3791 (closed).

dfilter: Add syntax to match specific layers in the protocol stack

Merge request reports