Peyrusson, Yannick (Ext) wrote:
If not, what happens when filtering for example the field1 (that has no
sens if opcode equals 2) ??
A filter expression of the form "myproto.field1" is true if the packet
has a "myproto.field1" field and false if it doesn't. That expression
will evaluate to false for packets with an opcode of 2, as those packets
have no "myproto.field1" field.
A filter expression of the form "myproto.field1 {op} {value}", where
"{op}" is a comparison or match operator (==, !=, >, <, <=, >, >= and so
on) and {value} is a value, is true if the packet has a "myproto.field1"
field and the comparison or match is true (e.g., with "==", it's true if
the field's value is equal to {value}", and false otherwise. That type
of expression will *also* evaluate to false for packets with an opcode
of 2, as those packets have no "myproto.field1" value.
NOTE: this means that the expression "myproto.field1 != 17" will be
*FALSE* for packets with an opcode of 2. There's no "third value" for a
filter expression; they all have to evaluate to true or false, as a
packet either has to be (displayed, found, printed, etc.) or not -
there's no meaning to assign to "that expression refers to a field
that's not in the packet, so it's neither true nor false".