Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 11860] Display filter operator != not working as exepected

Wireshark-bugs: [Wireshark-bugs] [Bug 11860] Display filter operator != not working as exepected

Date: Wed, 16 Dec 2015 22:58:47 +0000

Comment # 8 on bug 11860 from [email protected]

(In reply to Guy Harris from comment #7)
> (In reply to João Valverde from comment #6)
> > The most natural formal interpretation would be an AND relation, which the
> > operator doesn't follow anyway, for convenience.
> 
> I.e., the _expression_ {field} {op} {value} should be interpreted as "for all
> instances of {field}, the relation '{value of that instance of the field}
> {op} {value}' is true", rather than as "there is an instance of {field} such
> that the relation '{value of that instance of the field} {op} {value}' is
> true"?
> 
> That would mean that "ip.addr == 192.168.0.1" would only match packets from
> 192.168.0.1 to 192.168.0.1; I'm not sure that would be useful.

The issue comes down to 
CASE {OP}:
   '==' : IF ANY instance of {field} {op} {value} : True
   '!=' : IF ALL instance of {field} {op} {value} : True
 ECASE : False

The interpretation of the search is different for different {op} fields.  The
'ip.addr ==' interprets as source OR destination where as 'ip.addr !='
interprets as source AND destination.

You are receiving this mail because:

You are watching all bug changes.

References:
- [Wireshark-bugs] [Bug 11860] New: Display filter operator != not working as exepected
  - From: bugzilla-daemon

Prev by Date: [Wireshark-bugs] [Bug 11786] "Delta time displayed" column in Wireshark doesn't work well, but Wireshark-gtk does.
Next by Date: [Wireshark-bugs] [Bug 11884] Wireshark 2.1.0-1049 crashes on launch.
Previous by thread: [Wireshark-bugs] [Bug 11860] Display filter operator != not working as exepected
Next by thread: [Wireshark-bugs] [Bug 11860] Display filter operator != not working as exepected
Index(es):
- Date
- Thread