On Mon, 28 Jan 2008 05:01:01 -0700, <wireshark-dev-request@xxxxxxxxxxxxx>
wrote:
ip.addr == 1.2.3.4 means "show me only packets where the address 1.2.3.4
appears in *some* IP header"
ip.addr != 1.2.3.4 means "show me only packets where the address in some
IP header is not 1.2.3.4"
Is there any known case where <field> != <value> is useful in it's
current behaviour when <field> occurs multiple times in the packet?
The != case is generally == TRUE.
Why not make a preference on the behaviour of the "!=" operator in
a display filter. We could make it default to "show me all packets
that do not contain *any* field <field> with value <value>".
So, ip.addr means "any ip.addr". How about using !ip.addr to mean no
ip.addr? So
!ip.addr == 1.2.3.4 means "no ip address matches 1.2.3.4"
So, I wondered what that would do if I tried it. Holy smokes. It works. We
already have a way to say it. I do not think we need to change anything.
Maybe the expression builder could have !ip.addr and the corresponding
!whaterers in the menu.
We discussed the embedded packet case some time ago. Did't we decide on
subscripts or something to deal with that? I have no way to gen such
packets here right now.
--john
--
John McDermott, CPLP, CCP
Learning and Performance Consultant
jjm at jkintl.com www.jkintl.com
V: +1 575/377-6293 Please call for fax access.