In the statistics files and in the filters there are expressions which refer to the protocols defined in the PDF file. The expressions return an integer belonging to the range (-2147483648 , 2147483647) or the CANTTELL value when the expression cannot be evaluated. The integers different from 0 indicate a positive expression evaluation, instead 0 value indicates a negative expression evaluation. In the expressions the user can refer to packet information through the GetVmVar() function.
The protocols names are valid expression and their return value can be: 0xFFFFFFFF if the protocol belongs to the packet, 0 if it does not belong and CANTTELL if it is not possible to establish the protocol presence. Here it is an explanation about how the protocol presence is evaluated. The PDF structure is based on a graph structure. So in order to evaluate the presence of the specified protocol the graph defined by the PDF file has to be visited. If the whole packet is visited and the specified protocol is not found the return value is 0; if it not possible to visit the whole packet and the specified protocol is a possible successor to the last visited protocol then the expression returns 'CANTTELL'.
The protocol fields are indicated with the syntax: protocolname.fieldname. If the field search is successful then the expression will assume the field value; if the field is not found then the expression contains a no valid value.
The truth tables of the operators are modified to contain also the CANTTELL value. VALUE(X) represents a valid value for the X variable; FALSE represents 0; TRUE represents 0xFFFFFFFF; CANTTEL represents a non valid value.
| AND (&) | VALUE(B) | CANTTELL |
| VALUE(A) | VALUE(A)&VALUE(B) | CANTTELL |
| CANTTELL | CANTTELL | CANTTELL |
| OR (|) | VALUE(B) | CANTTELL |
| VALUE(A) | VALUE(A)|VALUE(B) | VALUE(A) |
| CANTTELL | VALUE(B) | CANTTELL |
| IDENTITY (=) | VALUE(B) | CANTTELL |
| VALUE(A) | (VALUE(A)==VALUE(B)) ? TRUE : FALSE | FALSE |
| CANTTELL | FALSE | TRUE |
| <= | VALUE(B) | CANTTELL |
| VALUE(A) | (VALUE(A)<=VALUE(B)) ? TRUE : FALSE | FALSE |
| CANTTELL | FALSE | TRUE |
| >= | VALUE(B) | CANTTELL |
| VALUE(A) | (VALUE(A)>=VALUE(B)) ? TRUE : FALSE | FALSE |
| CANTTELL | FALSE | TRUE |
| != | VALUE(B) | CANTTELL |
| VALUE(A) | (VALUE(A)!=VALUE(B)) ? TRUE : FALSE | TRUE |
| CANTTELL | TRUE | FALSE |
| < | VALUE(B) | CANTTELL |
| VALUE(A) | (VALUE(A)<VALUE(B)) ? TRUE : FALSE | FALSE |
| CANTTELL | FALSE | FALSE |
| > | VALUE(B) | CANTTELL |
| VALUE(A) | (VALUE(A)>VALUE(B)) ? TRUE : FALSE | FALSE |
| CANTTELL | FALSE | FALSE |
| NOT (!) | VALUE(A) | CANTTELL |
| ----- | !VALUE(A) | CANTTELL |
| + | VALUE(B) | CANTTELL |
| VALUE(A) | VALUE(A)+VALUE(B) | CANTTELL |
| CANTTELL | CANTTELL | CANTTELL |
| - | VALUE(B) | CANTTELL |
| VALUE(A) | VALUE(A)-VALUE(B) | CANTTELL |
| CANTTELL | CANTTELL | CANTTELL |
| * | VALUE(B) | CANTTELL |
| VALUE(A) | VALUE(A)*VALUE(B) | CANTTELL |
| CANTTELL | CANTTELL | CANTTELL |
| << | VALUE(B) | CANTTELL |
| VALUE(A) | VALUE(A)<<VALUE(B) | CANTTELL |
| CANTTELL | CANTTELL | CANTTELL |
| >> | VALUE(B) | CANTTELL |
| VALUE(A) | VALUE(A)>>VALUE(B) | CANTTELL |
| CANTTELL | CANTTELL | CANTTELL |
| / | VALUE(B) | FALSE | CANTTELL |
| VALUE(A) | VALUE(A)/VALUE(B) | CANTTELL | CANTTELL |
| CANTTELL | CANTTELL | CANTTELL | CANTTELL |
In the expression the user can utilize the function 'GetDataLen'. Its syntax is GetDataLen (protocol_name). It returns the number of the bytes seen as data from the specified protocol.
For further information see the grammar section about the expressions used in the filters and in the stt files.