Guy Harris schrieb:
Ulf Lamping wrote:
As I've written in my other mail, I would expect a dialog box in this
case, saying something like "ip.addr != 10.0.0.1 is very certainly not
what you want! Should I filter !(ip.addr == 10.0.0.1) instead, which
results in ...".
That applies to *any* field when you do a "!=" comparison; it's not
unique to ip.addr (that's probably the most common example, but tcp.port
and udp.port are probably also somewhat common places where this
surprises users). If we're to pop up a warning, I'd pop it up for any
use of "!=", and offer a "don't show this dialog any more" checkbox so
that the user can say "OK, I understand now" and not be bothered in the
future
As far as I understand the problem, this applies to any what I would
call "combined fields" like ip.addr being a combination of source and
(or) destination address. Of course this problem also applies to
eth.addr, tcp.port and udp.port, and yes, these are the most common
examples - and help the users with these cases would already be a good
step forward.
I personally know at least 10 persons who had actual problems with this!!!
"simple filter fields" like eth.type != 0x800 works just as expected -
making the problem even more confusing if you don't know what's going on ;-)
Regards, ULFL