The .byte_test parameter allows to compare a byte with a specified value and is applied to data presented in binary or character format.
The general format is as follows:
.byte_test = <bytes>,<operator>,<value>,<offset>,[,<multiplier>][,<modifiers>];
Available parameters are provided in the table:
Name |
Description |
---|---|
<bytes> |
Number of bytes in the current position with the specified offset which are read from the packet. Can take the following values: 1, 2 or 4. |
<size> |
String length; specified for string data. |
* |
Use all characters till the first non-numeric character. |
<operator> |
Operator used to compare the byte with the specified value:
Example: .byte_test=1,&,0x80,0; checks that the most significant bit of the first byte in the data field of the packet is set to 1. |
<value> |
The value used in comparison or packet size. The value can be specified using 0х prefix; arithmetic operators (+, -, *, /) can also be used. |
<offset> |
Offset in the data field of the packet:
If the offset parameter is not specified, then the analysis, by default, is performed from the beginning of the packet. |
<post_offset> |
The number of bytes to move the scan start point. Important! Applied to .byte_jump. |
<multiplier> |
A numeric value by which the extracted number should be multiplied before comparison or moving the scan start point; this parameter is optional. |
<modifiers> |
Modifiers (optional):
|
Example: comparing the first four bytes of each packet with the value of 1234: packet data have character format in decimal numeration system:
.byte_test=4,=,1234,0,string,dec;
The .byte_jump parameter moves the scan start point to the specified number of bytes. The general format for data processing from the most or the least significant bit (i.e. for big and little modifiers) is as follows:
.byte_jump = <bytes>,<offset>,<post_offset>[,<multiplier>][,<modifiers>];
For string data (string modifier):
.byte_jump = (<size> | *),<offset>,<post_offset>[,<multiplier>][,<modifiers>];