Wireshark-dev: Re: [Wireshark-dev] ip.addr != 10.0.0.1 (Guy Harris)

From: "Kenichi Okuyama" <kenichi.okuyama@xxxxxxxxx>
Date: Tue, 29 Jan 2008 10:05:27 +0900
Dear John,

Sorry to interrupt you. I simply want to make sure. You mean, in
current implementation:

a) ( ip.addr == 1.2.3.4 ) means (( ip.src == 1.2.3.4 )||( ip.dst == 1.2.3.4 )).

b) ( ip.addr != 1.2.3.4 ) means (( ip.src != 1.2.3.4 )||( ip.dst != 1.2.3.4 ))
 which stands for   !(( ip.src == 1.2.3.4 )&&( ip.dst == 1.2.3.4 ))
 ( which means "ignore if both src and dst are 1.2.3.4" )

c) !ip.addr == 1.2.3.4 means ( !( ip.addr == 1.2.3.4 ))
    which stands for ( !(( ip.src == 1.2.3.4 )||( ip.dst == 1.2.3.4 )))
    which stands for ( ip.src != 1.2.3.4 )&&( ip.dst != 1.2.3.4 )

I do agree about b) being very confusing. I was trapped by this syntax
only a week ago. It took me very long before I figured out what was
happening.

Are you saying that we should create new Field name? Or are you saying
that we should have priority within operators(relations) so that we
can avoid brackets?

# My personal opinion is, !ip.addr is confusing.
# We should use bracket, though too much brackets itself is confusing ...

Sorry for interruption. I simply wanted to know what was the point,
because I did have similar problem recently.
best regards,

2008/1/29, John McDermott <jjm@xxxxxxxxxx>:
> On Mon, 28 Jan 2008 05:01:01 -0700, <wireshark-dev-request@xxxxxxxxxxxxx>
> wrote:
>
> ip.addr == 1.2.3.4 means "show me only packets where the address 1.2.3.4
> appears in *some* IP header"
> ip.addr != 1.2.3.4 means "show me only packets where the address in some
> IP header is not 1.2.3.4"
>
> > Is there any known case where <field> != <value> is useful in it's
> > current behaviour when <field> occurs multiple times in the packet?
>
> The != case is generally == TRUE.
>
> > Why not make a preference on the behaviour of the "!=" operator in
> > a display filter. We could make it default to "show me all packets
> > that do not contain *any* field <field> with value <value>".
>
> So, ip.addr means "any ip.addr". How about using !ip.addr to mean no
> ip.addr? So
>    !ip.addr == 1.2.3.4 means "no ip address matches 1.2.3.4"
>
> So, I wondered what that would do if I tried it. Holy smokes. It works. We
> already have a way to say it. I do not think we need to change anything.
> Maybe the expression builder could have !ip.addr and the corresponding
> !whaterers in the menu.
>
> We discussed the embedded packet case some time ago. Did't we decide on
> subscripts or something to deal with that? I have no way to gen such
> packets here right now.
>
> --john
>
> --
> John McDermott, CPLP, CCP
> Learning and Performance Consultant
> jjm at jkintl.com        www.jkintl.com
> V: +1 575/377-6293  Please call for fax access.
>
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>


-- 
奥山 健一(Kenichi Okuyama) [煤背会: No. 0x00000001]
URL: http://www.dd.iij4u.or.jp/~okuyamak/
     http://developer.osdl.jp/projects/doubt/