doc: Update byte_extract doc

author Jeff Lucovsky <jeff@lucovsky.org>

Wed, 17 Jun 2020 14:15:06 +0000 (10:15 -0400)

committer Victor Julien <victor@inliniac.net>

Mon, 29 Jun 2020 18:24:43 +0000 (20:24 +0200)
author Jeff Lucovsky <jeff@lucovsky.org>
Wed, 17 Jun 2020 14:15:06 +0000 (10:15 -0400)
committer Victor Julien <victor@inliniac.net>
Mon, 29 Jun 2020 18:24:43 +0000 (20:24 +0200)
diff --git a/doc/userguide/rules/payload-keywords.rst b/doc/userguide/rules/payload-keywords.rst

index c552e919239bd177c6b06e958bdf56544ddcffde..1b12c088e34094d5b8dd8fbae4dcdf454f230cdb 100644 (file)
--- a/doc/userguide/rules/payload-keywords.rst
+++ b/doc/userguide/rules/payload-keywords.rst
@@ -439,7 +439,37 @@ The ``byte_extract`` keyword extracts ``<num of bytes>`` at a particular ``<offs
  
  Format::
  
-  byte_extract:<num of bytes>, <offset>, <var_name>, [, relative];
+  byte_extract:<num of bytes>, <offset>, <var_name>, [,relative] [,multiplier <mult-value>] \
+        [,<endian>] [, dce] [, string [, <num_type>] [, align <align-value];
+
+
++--------------------+--------------------------------------------------------------------------+
+| <num of bytes>     | The number of bytes selected from the packet to be extracted            |
++--------------------+--------------------------------------------------------------------------+
+| <offset>          | Number of bytes into the payload                                         |
++--------------------+--------------------------------------------------------------------------+
+| <var_name>        | The name of the variable in which to store the value                     |
++--------------------+--------------------------------------------------------------------------+
+| [relative]        | Offset relative to last content match                                    |
++--------------------+--------------------------------------------------------------------------+
+| multiplier <value> | multiply the extracted bytes by <mult-value> before storing             |
++--------------------+--------------------------------------------------------------------------+
+| [endian]          | Type of number being read:                                               |
+|                   | - big (Most significant byte at lowest address)                          |
+|                   | - little (Most significant byte at the highest address)                  |
++--------------------+--------------------------------------------------------------------------+
+| [string] <num>     |                                                                                 |
+|                   | - hex - Converted string represented in hex                              |
+|                   | - dec - Converted string represented in decimal                          |
+|                   | - oct - Converted string represented in octal                            |
++--------------------+--------------------------------------------------------------------------+
+| [dce]                     | Allow the DCE module determine the byte order                            |
++--------------------+--------------------------------------------------------------------------+
+| align <align-value>| Round the extracted value up to the next                                |
+|                    | next <align-value> byte boundary post-multiplication (if any)            |
+|                    | ; <align-value> may be 2 or 4                                            |
++--------------------+--------------------------------------------------------------------------+
+
  
  ============== ==================================
   Keyword       Modifier
author	Jeff Lucovsky <jeff@lucovsky.org>
	Wed, 17 Jun 2020 14:15:06 +0000 (10:15 -0400)
committer	Victor Julien <victor@inliniac.net>
	Mon, 29 Jun 2020 18:24:43 +0000 (20:24 +0200)