The analysis engine, Query.exe, is a standard console application and it can be used "stand-alone". Analyzer uses this program and it redirects its input/output to the graphical interface.
Query provides an environment exploited by all the parsers in order to execute the object code generated by them. It consists basically in a user interface and a virtual machine that hosts the "external" code and executed user command by means of the object files.
Query supports two kinds of commands:
off-context commands: they are commands that can be given at any time
on-context commands: they are commands that can be given only when there is a capture file open.
logopen FILENAME: Opens file FILENAME and uses it like capture file. Capture format is specified in current LFO file.
capopen FILENAME: Opens file FILENAME and uses it like capture file. Capture format is CAP.
iniopen FILENAME: Opens file FILENAME and uses it like INI file.
lfoopen FILENAME: Opens file FILENAME and uses it like LFO file. This file will be used to read capture files.
pfoopen FILENAME: Opens file FILENAME and uses it like PDO file. This file contains protocols definition.
dfoopen FILENAME: Opens file FILENAME and uses it like DFO file. This file will be used to print packets analysis.
ifoopen FILENAME: Opens file FILENAME and uses it like IFO file. This file will be used to print packets index.
macro FILENAME: Executes macro contained in file FILENAME.
repopen FILENAME OPTIONS: Opens file FILENAME uses it like textual report. Options are:
-d: Adds to report only packet exadecimal dump
-p: Adds to report only packet analysis
-a: Adds to report packet analysis and exadecimal dump
-n: Adds to report only packet number
repclose: Closes report file currently open.
command STRINGS: Execute command STRINGS usyng system shell.
chdir DIRECTORY: Changes current directory to DIRECTORY.
maccompile FILENAME1 FILENAME2: Compiles macro file FILENAME1 and creates object file FILENAME2.
lffcompile FILENAME1 FILENAME2: Compiles LFF file whoose name is FILENAME1 and creates object file FILENAME2.
pdfcompile FILENAME1 FILENAME2: Compiles PDF file whoose name is FILENAME1 and creates object file FILENAME2.
ddfcompile FILENAME1 FILENAME2: Compiles DFF file (or IFF file) whose name is FILENAME1 and creates object file FILENAME2.
new FILENAME: Creates a new capture whose name is FILENAME.
help: Shows this command list.
repadd: Adds to report current packet analysis.
wcapopen FILENAME: Opens file FILENAME and uses it like binary report.
wcapclose: Closes current binary report file.
wcapadd: Adds to current binary report file current packet.
this: Shows current packet analysis.
first: Shows first packet analysis.
last: Shows last packet analysis.
prev: Shows previous packet analysis.
next: Shows next packet analysis.
prevf: Shows previous packet analysis which satisfy current filter.
nextf: Shows next packet analysis which satisfy current filter.
filter STRING: Sets current filter to STRING.
jump N1: Shows N1 packet analysis (if available).
getpos: Shows current position in capture file.
getitemnr: Shows packet number.
getprotos [OPTIONS]: Shows supported protocols. If an option is present only protocol names are visualyzed.
query [-t] [-o:OUTFILE] FILENAME: Evaluate Statistics contained in file FILENAME and shows results.
index [N1 [N2]]: Shows packets index. N1 is the start packet (where index begins). N2 is end packet (where index ends). If N1 and N2 are not present, index will be created on every packet. If N2 is not present, index will be created starting from packet N1.
setfirstpr [PROTOCOL]: Sets first protocol for packet analysis to PROTOCOL. If this parameter is not present all protocols are taken into consideration.
getlinktype: Shows value of the field 'link type' contained in capture header or defined in current LFF file.
delete N1 N2 ...: Deletes packets number N1, N2, ... in current capture.
copy \"FILENAME\" N1 N2 ...: Copies packets N1, N2, ... from current capture in file FILENAME.
merge FILENAME: Merges packets in current capture with packets in capture file FILENAME.
getfltpck: Shows packets satisfying current
filter.