Richard Ginski:
>I am using a Network Associates "enc" file. Ethereal seems to parse this
>fine. However, I am trying to use the "ip.addr !=" expression and all I
>receive is the ip traffic from the address I was trying to exclude. What
>am I doing wrong?
It's not a fault. It is the way display filtering has been implemented.
It may be a bit confusing, until you get used to it.
The display filter:
ip and !(ip.addr == 10.10.10.20)
should do what you want, I think.
Or you can use the filter "ip.src != 10.10.10.20 and ip.dst != 10.10.10.20".
The display filter "ip.addr != 10.10.10.20" will however also match packets where "ip.src== 10.10.10.20" but "ip.dst != 10.10.10.20"
and the packets where "ip.dst == 10.10.10.20 but "ip.src != 10.10.10.20", i.e. that filter will match almost all packets.
The packets where both the source and destination address is equal to 10.10.10.20 are the only packets that will not match the
filter "ip.addr != 10.10.10.20" (but there is probably no such packets in your capture).