The difference is the difference between the upside down A (==For ALL it is true)
and the mirrored E (==there EXISTS at least one)
I.e.
payload.packet.a_field != 1
is only the same as
!(payload.packet.a_field
== 1)
if this field exists exactly once in the set.
If the field exists multiple times then
payload.packet.a_field != 1
is no longer the same as
!(payload.packet.a_field == 1)
try rewriting your filters to be
!(payload.packet.a_field==1)
instead
On 9/7/06, Andrew Schweitzer <a.schweitzer.grps@xxxxxxxxx
> wrote:I have a field which can appear more than once in a message. When it
appears only once I seem to have no trouble filtering on it. When it
appears more than once I seem to getting the wrong results.
Maybe someone can explain what I'm doing wrong?
This is a customer dissector.
I have these fields:
-->header.msg_id: single_packet or multiple_packet
-->payload.packet.a_field
If I search on
protocol.header.msg_id == single_packet and (payload.packet.a_field
!= 1
and payload.packet.a_field != 2)
everything works fine.
However, if I search on
protocol.header.msg_id == multiple_packet and (payload.packet.a_field !=
1 and payload.packet.a_field != 2)
I seem to get any packet that is *either* a_field != 1 *or* a_field != 2
Any suggestions on how to fix? I assume it has to do with how I register
these fields with wireshark in the dissector code.
Thanks
Andy
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev