On Sat, Dec 28, 2002 at 10:25:09AM -0800, Chris Waters wrote:
> I agree with you that the filters work correctly, in that (AFAIK) it is
> possible to construct a filter which will achieve the purpose that you
> intend. Once I read the documentation carefully (it took three readings to
> pick up this subtlety) it seems to me that the documentation is also
> complete and correct. The issue I am raising is that the default behavior is
> non-intuitive
To *some* people, at least.
> and I would guess that it has been the cause of
> head-scratching for most Ethereal users.
>
> Overall the filter expressions are very easy to use. A quick skim of the
> documentation the first time I used Ethereal was all I needed to start
> writing filters. However, until someone else brought it to my attention
> recently, I had no idea that all of the filters I had written that use '!='
> are actually excluding more packets than I intended.
>
> Would there be any loss in generality of filters if there wasn't an implicit
> 'and protocol' term?
"And protocol" is "implicit" only in that non-TCP packets don't have a
TCP port number. It's really an implicit "and field" term.
"tcp.port != 10" means "the 'tcp.port' field in the packet has a value
other than 10"; a non-existent "tcp.port" field has no value, so it
doesn't have a value other than 10.
I guess there wouldn't be a loss in generality if you required somebody
to do
tcp.port and tcp.port != 10
but it would strike *me* as non-intuitive to have "tcp.port != 10"
matching packets that don't have a TCP number at all.