On Sun, May 23, 2004 at 12:46:03PM -0700, Guy Harris wrote:
> "ip.addr != 10.100.128.81" means "packet has an 'ip.addr' value equal to
> something other than 10.100.128.81"; a packet from 10.100.128.81, unless
> it's being sent from the machine to itself, has an "ip.addr" value equal
> to something other than 10.100.128.81 - the address it's sent to.
>
> "not (ip.addr eq 10.100.128.81)", however, means "packet does not have
> an 'ip.addr' value equal to 10.100.128.81", which is not the same as
> "packet has an 'ip.addr' value equal to something other than
> 10.100.128.81", because IPv4 packets normally have at least two
> "ip.addr" values - the from address and the to address.
In order to enable "powerusers" to understand the differences more easily,
the tool dftest exists but wasn't built by default. As this tool is quite
small when using shared libs I've changed the default to yes.
This is what the result looks like:
jmayer@egg:~/work/ethereal/main> dftest "ip.addr != 10.100.128.81"
Filter: "ip.addr != 10.100.128.81"
dfilter ptr = 0x081570a0
00000 READ_TREE ip.addr -> reg#0
00001 IF-FALSE-GOTO 4
00002 PUT_FVALUE <FT_IPv4> -> reg#1
00003 ANY_NE reg#0 == reg#1
00004 RETURN
jmayer@egg:~/work/ethereal/main> dftest "not (ip.addr eq 10.100.128.81)"
Filter: "not (ip.addr eq 10.100.128.81)"
dfilter ptr = 0x081570f0
00000 READ_TREE ip.addr -> reg#0
00001 IF-FALSE-GOTO 4
00002 PUT_FVALUE <FT_IPv4> -> reg#1
00003 ANY_EQ reg#0 == reg#1
00004 NOT
00005 RETURN
While still not intuitive (it still isn't visible that ip.addr catches both,
the source and destination address), it's interesting to see what the different
expressions amount to. It also shows that both behave differently in case no
ip.addr exists.
Ciao
Joerg
--
Joerg Mayer <jmayer@xxxxxxxxx>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.