Wireshark-bugs: [Wireshark-bugs] [Bug 10379] Display filter ip.dst and and ip.src working like i

Date: Fri, 15 Aug 2014 20:06:37 +0000

changed bug 10379


What Removed Added
Hardware x86-64 All
OS Windows 7 All

Comment # 6 on bug 10379 from
(In reply to Jerome from comment #5) 
> I do see two different places in the dissection where ip.src is one each,
> the phone and the server.  So the statement that ip.src is a field cannot be
> true?

The statement that a field can only appear once in a packet is not true.

This means that a filter

    {field} {comparison} {value}

should be interpreted as meaning "there exists at least one instance of {field}
with a value such that, when compared with {value} using the comparison
operator {comparison}, compares true". not "the value of {field}, when compared
with {value} using the comparison operator {comparison}, compares true".  For
example,

    ip.src == 1.2.3.4

means "there exists at least one instance of ip.src that's equal to 1.2.3.4".

A consequence of this is that

    ip.src != 1.2.3.4

is *NOT* the negation of

    ip.src == 1.2.3.4

The negation of

    ip.src == 1.2.3.4

is

    !(ip.src == 1.2.3.4)

> Else the field conforms to the Shrodinger's cat rules of physics?  If
> one is an embedded copy of the message, shouldn't those fields have
> different names?

No, but for "error packets" such as the embedded IPv4 packet in ICMP packets
(this also happens with ICMPv6 and with the OSI equivalent of ICMP errors),
perhaps filters shouldn't apply to them by default, with a special display
filter syntax used to match on fields in "error packets".


You are receiving this mail because:
  • You are watching all bug changes.