next - previous - toc

A. View Query Tutorial

Using the data view query you can query a view using an XPath expression to create a new view.
The XPath expression defines a set of nodes. The nodes which match the expression are copied into a new view.
The valid data view queries form a subset of the possible XPath queries.
Valid queries must match the following rules

the XPath query is always done on the root node, so relative queries are the same as absolute queries

Each view element has a corresponding xml element where the name of the view element is used as a tagname.
Each xml element has to following attributes. !! All the numbers used in the xpath query must be decimal numbers. !!

class ::= "DataFrame" | "DataEncodingField" | "MapField"
bitStart ::= a decimal number
bitEnd ::= a decimal number
bitSize ::= a decimal number
data ::= a string depending on the choosen DataEncoding (only present in DataEncodingField)

Suppose you have a simple view structure consisting of a root data frame and two data encoding field. Then the xml structure will look like this

<aFrame class="DataFrame" bitStart=0 bitEnd=80 bitSize=80>
	<aField class="DataEncodingField" bitStart=0 bitEnd=24 bitSize=24 data="001352"/>
	<anotherField class="DataEncodingField" bitStart=24 bitEnd=80 bitSize=56 data="95ab081952bbc3"/>
</aFrame>

Example Queries

All the examples below use the abbreviated XPath syntax.
Below are some common queries to get you started. For more complex ones you might want to consult the official XPath definition at http:\\www.w3.org\TR\xpath
In the example the libcap.str is used on a captured network traffic. The view queries are especially useful if you are analyzing huge repetitive data like network traffic.

/libcap
Will match the root element of the view, and effectively does a clone of the view similar to View->Clone View.

/libcap/frame
Will match all the frames of the libcap view.

/libcap/frame[3]
Will match the third frame of the libcap view. This is frame[2] in the data view because DataWorkshop starts counting from 0 and not 1.

/libcap/frame/ethernetII-DIX/ipv4/total-length
Will match all the total-length data fields of the ipv4 packet. Useful to extract a list of all packet sizes.

/libcap/frame/ethernetII-DIX/ipv4[./protocol/@data="TCP"]
Will match all the ipv4 packets which have a TCP payload inside. The protocol data field is a map field which maps the protocol number to the String TCP.

/libcap/frame/ethernetII-DIX/ipv4[./total-length/@data>1000]
Selects all ip frames which have a total-length > 1000 bytes. Although data is a String the query can convert the string into a number. But this only works if the string is in decimal notation. Hex Strings will give weird results.

next - previous - toc