Wireshark-dev: Re: [Wireshark-dev] ip.addr != 10.0.0.1

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sun, 27 Jan 2008 12:45:13 -0800
Jaap Keuter wrote:
I'm very much opposed to it. Boolean logic can be a somewhat tricky, but when you master the math it becomes a powerful tool.
(Actually, it's more like propositional calculus vs. predicate calculus; a filter expression "{field} {comparison} {value}" means
there exists an instance of {field} such that {value of that instance} {comparison} {value} 

and the negation of that isn't
there exists an instance of {field} such that {value of that instance} {not-comparison} {value} 

which would be

	{field} {not-comparison} {value}

isn't the negation, the negation is
for all instances of {field}, {value of that instance} {not-comparison} {value} 

which would be

	!({field} {comparison} {value})

.)

But, yes, special-casing some fields would, I think, be the wrong answer.
I think a better answer might be to add syntax similar to capture fiters, so that if you want all packets to or from "foo", you can say "host foo" for which the negation is more obviously "not host foo".