https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3872
Summary: Display filter expression "!ssl" gives different results
under different circumstances for the same file
Product: Wireshark
Version: unspecified
Platform: x86
OS/Version: All
Status: NEW
Severity: Normal
Priority: Medium
Component: Wireshark
AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
ReportedBy: ltoggenb@xxxxxx
Created an attachment (id=3497)
--> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3497)
Small demo dumpfile
Build Information:
Ubuntu 9.04
Version 1.0.7
Compiled with GTK+ 2.16.1, with GLib 2.20.1, with libpcap 1.0.0, with libz
1.2.3.3, with POSIX capabilities (Linux), with libpcre 7.8, without SMI, with
ADNS, with Lua 5.1, with GnuTLS 2.4.2, with Gcrypt 1.4.1, with MIT Kerberos,
with PortAudio V19-devel (built Mar 4 2009), without AirPcap.
Running on Linux 2.6.28-14-generic, with libpcap version 1.0.0.
Built using gcc 4.3.3.
================================================================================
Windows XP Home, SP3
wireshark 1.3.0-SVN-29201 (SVN Rev 29201 from /trunk)
Compiled with GTK+ 2.16.2, with GLib 2.20.3, with WinPcap (version unknown),
with libz 1.2.3, without POSIX capabilities, with libpcre 7.0, with SMI 0.4.8,
with c-ares 1.6.0, with Lua 5.1, without Python, with GnuTLS 2.8.1, with Gcrypt
1.4.4, with MIT Kerberos, with GeoIP, with PortAudio V19-devel (built Jul 26
2009), with AirPcap.
Running on Windows XP Service Pack 3, build 2600, with WinPcap version 4.1
beta5
(packet.dll version 4.1.0.1452), based on libpcap version 1.0.0, GnuTLS 2.8.1,
Gcrypt 1.4.4, without AirPcap.
Built using Microsoft Visual C++ 9.0 build 30729
--
I noticed, that the same display filter expression (!ssl) for the same file
gives me a different number of packets in different circumstances. The file is
attached. This happens under Ubuntu and Windows.
In Ubuntu
Right click file -> Open with wireshark -> 60 packets
displayed
Apply display filter "!ssl" -> 48 packets
displayed
Keep display filter(!) -> File -> Open same file -> 46 packets
displayed(*)
Keep display filter -> File -> Open -> Filter "!ssl" -> choose/open file -> 30
packets
Remove display filter -> File -> Open -> Filter "!ssl" -> choose/open file ->
30 packets
tshark -R '!ssl' -r demo.dump -w out.dump; capinfos -c out.dump; capinfos -c
out.dump -> 46 packets
================================================================================
In Windows
Right-click -> Open -> 60 packets
Display filter "!ssl" -> 30 packets
Keep display filter(!) -> File -> Open -> demo.dump -> 26 packets
(*)
Keep display filter -> File -> Open -> Filter "!ssl" -> choose/open file -> 26
packets
Remove display filter -> File -> Open -> Filter "!ssl" -> choose/open file ->
26 packets
tshark -R !ssl -r demo.dump -w out.dump; capinfos -c out.dump -> 26 packets
The cases marked with (*) seem especially strange to me. Am I doing anything
wrong or have I misunderstood something? I expected that all filter expressions
would give the same number of packets.
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.