Yeah - I saw that post (but admittedly forgot about it) and at the time
didn't feel confident enough to query. I still don't really as I haven't
gone near the source.
BUT by the argument in that link then you should be able to get a
result from something like
(ip.addr != 10.100.0.124) && ((ip.src == 10.100.0.124) || (ip.dst ==
10.100.0.124))
and ...
oh bugger - there ARE results
and for
(!(ip.addr != 10.100.0.124)) && ((ip.src == 10.100.0.124) || (ip.dst ==
10.100.0.124))
There are no results
so my assumption of ip.addr is obviously not right, somewhere there's
an OR going on with ip.addr looking at the src/dest rather than an AND.
Using the dialog box to assemble the query leads down the wrong path for
this.
Ethereal is obviously broken because it gives me what I asked for and
not what I wanted
(yes I was kidding)
Thanks for pointing this out
Dave
>>> martin.regner@xxxxxxxxx 4/06/04 09:52:25 >>>
David Bremer wrote:
> BUT - if you already have a capture and want to eliminate your own
IP
> then check out the display filter - try "ip.addr != 10.100.0.124"
Instead of using:
ip.addr != 10.100.0.124
you should probably use:
!(ip.addr == 10.100.0.24)
as described in Richard Urwins mail:
http://www.ethereal.com/lists/ethereal-users/200406/msg00013.html
or maybe the following one if you want to exclude also the packets that
are not ip-packets:
ip and !(ip.addr == 10.10.0.24)
Similar applies for other fields that may appear more than once in a
frame.
For example to find tcp packets where neither tcp source port nor tcp
destination port is 80 then you could use the
following filter:
tcp and !(tcp.port == 80)
or you could use :
tcp.srcport != 80 and tcp.dstport != 80
the filter:
tcp.port != 80
will only exclude tcp packets sent from source port 80 to destination
port 80
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users