Leonard E. Nielsen wrote:
Display filter - If you setup a display filter "ip.addr != A.B.C.D" ICMP
packets to/from A.B.C.D are not filtered out.
"ip.addr != A.B.C.D" means "the packet has at least one 'ip.addr' value
not equal to A.B.C.D".
Every packet with an IPv4 source and destination address has *TWO*
"ip.addr" values - one for the source address and one for the
destination address.
This allows you to filter for packets to or from A.B.C.D with "ip.addr
== A.B.C.D".
This also does *NOT* allow you to filter *OUT* packets to or from
A.B.C.D - i.e., to hide all packets to *OR* from A.B.C.D - by doing
"ip.addr != A.B.C.D", because a packet to or from A.B.C.D might be from
or to some other host and thus might contain one "ip.addr" value not
equal to A.B.C.D.
What you want is a filter that says "*NO* 'ip.addr' value is A.B.C.D",
i.e. "!(ip.addr == A.B.C.D)". !(X == Y) is, in the display filter
language, different from "X != Y" - using the predicate calculus
quantifiers "for all" and "there exists", "!(X == Y)", with "X" a field
and "Y" a value, means "not (there exists a field named X in the packet
with the value Y)", i.e. "for all fields named X in the packet, the
value of the field is not Y", while "X != Y" means "there exists a field
named X in the packet that has a value other than Y".
None of that is specific to ICMP packets; it applies to all IP packets.
For ICMP packets, there's an additional complication, namely that, for
ICMP messages containing part or all of an IP packet that caused an
error, the IP packet is dissected, so *its* "ip.addr" fields also appear
in the packet. However, as a packet from A to B would, if it got an
error, cause an ICMP packet to be sent from B to A, that's probably not
the issue you're seeing.