Wireshark-bugs: [Wireshark-bugs] [Bug 11860] Display filter operator != not working as exepected

Date: Mon, 07 Dec 2015 19:00:04 +0000

Comment # 5 on bug 11860 from
(In reply to Christopher Maynard from comment #4)
> The expansion is the same, regardless of operator.  Keep in mind that there
> is no "ip.addr" field.

...and that there are multiple instances of it in packets, one for the source
address and one for the destination address.

The fact that there can be *multiple* instances of a field is what makes this
confusing.  If there's only one {field} in a packet, then the meaning of
"{field} {relop} {value}", for all values of {relop} (==, !=, >, >=, <, <=,
etc.) is obvious - it tests whether the relation is true for the value of that
one instance of the field and the value with which you're comparing it.  If,
however, there's *more than one* instance, there are multiple possible
interpretations:

    the relation is true for the value of one particular instance of that
field, such as the first;

    the relation is true for all values of the field;

    the relation is true for at least one value of the field;

etc..

Wireshark's interpretation is "the relation is true for at least one value of
the field".

"OR" would be "the relation is true for at least one value of the field". 
"AND" would be "the relation is true for all values of the field".


You are receiving this mail because:
  • You are watching all bug changes.