Enhancement: Add membership operator support

[cjmaynard]

Wireshark supports a membership operator as part of its display filter syntax. A couple of examples from the wireshark-filter man page:

tcp.port in {80 443 8080}  
ip.addr in {10.0.0.5 .. 10.0.0.9 192.168.1.1..192.168.1.9}  

It would be nice if a similar operator were supported for capture filters, e.g.,

tcp port in {80 443 8080}  
host in {10.0.0.5 .. 10.0.0.9 192.168.1.1..192.168.1.9}  

... or perhaps in a format like this:

tcp port in {80,443,8080}  
host in {10.0.0.5-10.0.0.9,192.168.1.1-192.168.1.9}  

... or in whatever format best fits with pcap-filter syntax.

[infrastation]

The first example is quite straightforward:

tcp port 80 or 443 or 8080

The second example might potentially be implementable by means of a new hostrange type, but unlike the existing portrange type the dashes and the hyphens would likely get in the way a lot, given they already appear in IPv4 addresses and hostnames.

[infrastation]

See also #815.

[infrastation]

One potential (did not test!) way to implement both features could be extending the existing ATM and MTP fields syntax onto port and host, and treating an IP address an an unsigned integer in this context. This would mean that the set membership would be straightforward and the ranges would be not as straightforward, but comprehensible. For example, the expressions above would be as follows:

tcp port (80 or 443 or 8080)

(ip host >= 10.0.0.5 and ip host <= 10.0.0.9) or (ip host >= 192.168.1.1 and ip host <= 192.168.1.9)

An advantage of this approach would be being a superset of the existing syntax (e.g. ip host 192.168.1.9 would be an abbreviation of ip host == 192.168.1.9). It seems worth prototyping if there is time for that, but before committing the new feature it would be useful to understand how many users actually need it.