Wireshark · Wireshark-dev: Re: [Wireshark-dev] ip.addr != 10.0.0.1 (Guy Harris)

[Sake Blok <sake@xxxxxxxxxx>]

Hi All,

Hmmm... although some good ideas have been raised, they all had 
their disadvantages. Basically I think the way the filters work
is fine for people who get used to the way the filters work. It 
is just a steep learning curve where the information needed to
learn to use the display filter syntax on fields that have 
multiple occurences in one packet.

So, if we need to stick to the current behaviour (which I have
become a favorite off by now), why not try to educate the user
from within Wireshark instead of from the external sources like
the Wiki and the Mailinglists.

I think the idea of a pop-up explaining the way the operator
"!=" works on fields with multiple occurences in one packet is
a good way to educate people. But only if there is an option
to "Don't show me this message again" :-)

If we agree on this approach, all we have to do is decide in
which cases the pop-up should be shown. Which is a whole new
discussion :-)

Some random thoughts:

a) Every time "!=" is used, just to educate the user up
   front. But I think the learning experience only kicks
   in when the user can see the bad behaviour. And this would 
   not happen on all the fields that only have one occurence
   in every packet.

b) Only show the message when the field that is used with
   the "!=" operator actually does occur mulptiple times in
   one of the packets in the trace file. This however would
   mean a big degradation in performance.

c) Only on when "ip.addr != xxx", "tcp.port != xxx" or
   "udp.port != xxx" is typed as a filter. The idea is that
   this is probable the first occurence of "!=" the user 
   will try on a field with multiple occurences in one
   packet. This might be a good compromise...


Oh, we also would need to write a very nice compact, easy 
to understand message. With of course a link for some more
background and examples to the Wiki.

Cheers,
    Sake