Wireshark-bugs: [Wireshark-bugs] [Bug 11860] Display filter operator != not working as exepected
Date: Mon, 07 Dec 2015 17:11:08 +0000

Comment # 4 on bug 11860 from
(In reply to hvgeekwtrvl from comment #3)
> Guy and Pascal thanks for the information.
> 
> The confusion lies in the issue that you are not treating the != and ==
> operators in the same fashion and it's probably due to the way the search is
> written.
> 
> In the case of 'ip.addr == x.x.x.x' you are treating this as an OR 'ip.src
> == x.x.x.x OR ip.dst == x.x.x.x' versus the 'ip.addr != x.x.x.x' is being
> treated as an AND 'ip.src != x.x.x.x AND ip.dst != x.x.x.x).
> 
> From the logic presented this is probably happening as it sounds like the
> search in both cases is being done as 'ip.src == x.x.x.x OR ip.dst ==
> x.x.x.x' and then being taken as the result or negated if the != operator is
> present instead of actually making the search 'ip.src != x.x.x.x OR ip.dst
> != x.x.x.x'.  This is backed up by the documentation snippet which Pascal
> linked too as the '==' search is an OR condition and the '!=' is an AND
> condition.
> 
> It would be more consistent if your searches were all OR's or all AND's.

The expansion is the same, regardless of operator.  Keep in mind that there is
no "ip.addr" field.  It is merely a convenience pseudo-field so that one does
not need to type "ip.src == x.x.x.x or ip.dst == x.x.x.x" when you don't care
if the IP address is the source or destination, which is often the case.

So as indicated at https://wiki.wireshark.org/DisplayFilters, in the case of
the "==" operator, "ip.addr == x.x.x.x" is equivalent to "ip.src == x.x.x.x or
ip.dst == x.x.x.x", and in the case of the "!=" operator, "ip.addr != x.x.x.x"
is equivalent to "ip.src != x.x.x.x or ip.dst != x.x.x.x".  In both cases OR is
used, not AND.

In the "==" case, you are telling Wireshark to display packets where either the
source IP address matches x.x.x.x OR the destination address matches x.x.x.x. 
In the "!=" case, you are telling Wireshark to display packets where either the
source IP address does not match x.x.x.x OR the destination address does not
match x.x.x.x.  OR is applied in both cases and it is consistent.


You are receiving this mail because:
  • You are watching all bug changes.