Wireshark-bugs: [Wireshark-bugs] [Bug 3872] New: Display filter expression "!ssl" gives differen

Date: Tue, 11 Aug 2009 11:39:32 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3872

           Summary: Display filter expression "!ssl" gives different results
                    under different circumstances for the same file
           Product: Wireshark
           Version: unspecified
          Platform: x86
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: Medium
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: ltoggenb@xxxxxx


Created an attachment (id=3497)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3497)
Small demo dumpfile

Build Information:
Ubuntu 9.04

Version 1.0.7

Compiled with GTK+ 2.16.1, with GLib 2.20.1, with libpcap 1.0.0, with libz
1.2.3.3, with POSIX capabilities (Linux), with libpcre 7.8, without SMI, with
ADNS, with Lua 5.1, with GnuTLS 2.4.2, with Gcrypt 1.4.1, with MIT Kerberos,
with PortAudio V19-devel (built Mar  4 2009), without AirPcap.

Running on Linux 2.6.28-14-generic, with libpcap version 1.0.0.

Built using gcc 4.3.3.

================================================================================

Windows XP Home, SP3

wireshark 1.3.0-SVN-29201 (SVN Rev 29201 from /trunk)




Compiled with GTK+ 2.16.2, with GLib 2.20.3, with WinPcap (version unknown),

with libz 1.2.3, without POSIX capabilities, with libpcre 7.0, with SMI 0.4.8,

with c-ares 1.6.0, with Lua 5.1, without Python, with GnuTLS 2.8.1, with Gcrypt

1.4.4, with MIT Kerberos, with GeoIP, with PortAudio V19-devel (built Jul 26

2009), with AirPcap.



Running on Windows XP Service Pack 3, build 2600, with WinPcap version 4.1
beta5



(packet.dll version 4.1.0.1452), based on libpcap version 1.0.0, GnuTLS 2.8.1,

Gcrypt 1.4.4, without AirPcap.



Built using Microsoft Visual C++ 9.0 build 30729
--
I noticed, that the same display filter expression (!ssl) for the same file
gives me a different number of packets in different circumstances. The file is
attached. This happens under Ubuntu and Windows.

In Ubuntu

Right click file -> Open with wireshark -> 60 packets
 displayed
Apply display filter "!ssl" -> 48 packets
 displayed
Keep display filter(!) -> File -> Open same file -> 46 packets
 displayed(*)
Keep display filter -> File -> Open -> Filter "!ssl" -> choose/open file -> 30
packets

Remove display filter -> File -> Open -> Filter "!ssl" -> choose/open file ->
30 packets


tshark -R '!ssl' -r demo.dump -w out.dump; capinfos -c out.dump; capinfos -c
out.dump -> 46 packets


================================================================================

In Windows

Right-click -> Open -> 60 packets

Display filter "!ssl" -> 30 packets

Keep display filter(!) -> File -> Open -> demo.dump -> 26 packets
 (*)
Keep display filter -> File -> Open -> Filter "!ssl" -> choose/open file -> 26
packets

Remove display filter -> File -> Open -> Filter "!ssl" -> choose/open file ->
26 packets


tshark -R !ssl -r demo.dump -w out.dump; capinfos -c out.dump -> 26 packets



The cases marked with (*) seem especially strange to me. Am I doing anything
wrong or have I misunderstood something? I expected that all filter expressions
would give the same number of packets.


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.