Ethereal-dev: Re: [Ethereal-dev] Filter expressions for exclusion

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Martin Regner" <martin.regner@xxxxxxxxx>
Date: Sat, 28 Dec 2002 15:33:57 +0100
Chris Waters wrote:

>Hi,
>
>It seems to me that one aspect of Ethereal filtering is non-intuitive, and
>also unnecessary. Consider the following filter:
>
>tcp.port != 10
>
>At first glance it appears that the purpose of the filter is to exclude all
>packets where the TCP port is 10. However this expression will also exclude
>all non-TCP packets, which was probably not the intent of the person that
>wrote the filter.
>
>In any filter referring to a field 'protocol.field' it appears that their is
>an implicit 'and protocol' added to the expression. This is very confusing.
>Is it necessary, or desirable?


I think it works as it should (at least more or less). 
However I think that the documentation could be improved. 

For filters with "tcp.port" (and similar for "ip.addr" etc.) there might be some extra confusion since there is both a source port (tcp.srcport)  and a destination port (tcp.dstport) in a TCP packet and then the results can be different than you expect if you are not careful when preparing the filter. 

!(tcp.port == 10) 
will filter out TCP packets where the source and/or destination port is not equal to 10, 
but also non-TCP packets (UDP, ARP, ...)

tcp.port != 10 
will filter out only TCP packets - where both source and destination port numbers are not 10.
You will get packets where source port is 10, or destination port is 10, or where neither of them are 10
but the TCP packets where both of them are 10 will not be included.

tcp and !(tcp.port ==10)
will filter out only TCP packets - where destination and/or source port numbers are not 10.

I hope I got it right. I'm not completely sure, and I didn't have any good captures to experiment with right now.