[Guy Harris <gharris@xxxxxxxxx>]

LEGO wrote:

> the '|' operator isn't a logical OR it's a bitwise OR.
> "xxx.flags | 0x0F" will be true if any of the four least significative
> bits of xxx.flags is set.

If there were a bitwise OR operator in the display filter language, 
"xxx.flags | 0x0F" would be non-zero if any of the bits in "xxx.flags" 
were non-zero or if any of the bits in 0x0F were non-zero, meaning it'd 
always be true.

However, there isn't a bitwise OR operator.

There is, however, a bitwise AND operator.  The man page doesn't make it 
clear that the result of it is Boolean, but it appears that you can't 
compare the results of a bitwise AND against anything, so presumably the 
bitwise AND operator does a bitwise AND and evaluates to "true" if any 
of the resulting bits are non-zero and "false" otherwise.

To quote the ethereal-filter(4) man page:

	Bitwise AND operates on integer protocol fields and slices.

		...

	When using slices, the bit mask must be specified as a byte string, and 
it must have the same number of bytes as the slice itself ...

so "eth.dst[0:1] & 1" should test the low-order bit of the first byte of 
the destination address, and match packets where that bit is set.

Given that, "!(eth.dst[0:1] & 1)" should test that bit and match packets 
where it's *not* set, so that should be a display filter to show only 
unicast packets.