> I found a bug in display filter:
>
> expression ex. "tcp.port!=80" dont work,
Note that the expression "tcp.port != 80" will match any packet with a
TCP source *or* destination port not equal to 80 - i.e., it'll probably
match most, if not all, packets in an HTTP connection, as the client
probably isn't using port 80.
I.e., neither it nor "!(tcp.port == 80)" necessarily do what one might
expect.
Another problem you may be seeing is that "tcp.port != 80" fails on
packets that don't *have* a TCP header in them. That one's a bit
trickier. It seems reasonable that "tcp.port == 80" should fail on
packets that don't have a TCP header in them, and it might be reasonable
that "tcp.port != 80" should succeed if the packet has no TCP header -
but what should, say, "tcp.port > 80" do? Is "!=" the only operator that
should succeed, rather than failing, if the field being compared isn't
in the packet?
Note that
!tcp || tcp.port != 80
should (assuming it doesn't have to be further parenthesized) match
1) all non-TCP packets;
2) TCP packets that aren't coming from port 80 and aren't going
to port 80
(although, as noted, clause 2 may not be what you want...).
