Wireshark-dev: Re: [Wireshark-dev] ip.addr != 10.0.0.1

From: "John McDermott" <jjm@xxxxxxxxxx>
Date: Tue, 29 Jan 2008 10:30:15 -0700
On Tue, 29 Jan 2008 05:01:13 -0700, Jaap wrote:


May I offer a different proposal, based on a former colleague's bug
solving method. Since we have two (three actually) ways of expressing
Not Equal, being "!(...)" and ".. != .." and ".. NE ..", why not drop
support for the ".. != .." (and ".. NE ..") ?
This solution has the following advantages:
* It removes code i.s.o. adding hooks in the grammer.lemon or semcheck.c
or where ever this warning comes from.

very good.

* It shifts the use of the unwanted ".. != .." aways to the desired "!(..)".

ok

* The syntax (error) becomes apparent when editing the expression, not
when applying it.

yes.

* We could even keep ".. NE .." around for the power users.

Actually, we need it for a lot more than power users. Herein lies the issue: while != and NE may work counterintuitively (at first) for many uses when used with ip.addr and other multiply-occuring fields, they are neceessary and proper for fileds like TTL. It would not be good to get rid of that functionality.

This solution has the following disadvantages:
* It drops an operator where people are used to.

Yes.

* Display filter generators may need to be changed
* Color display filters may become invalid.

Yes. We'd need or want to build a converter.

After the first time I used ip.addr != <something> and the issue was explained, the problem went away for me. Maybe we need a hyperlink "Didn't get what you expected?" after a filter is applied that points one to the issue.

Personally, it is no problem to conver the thinking "if no ip address equals 1.2.3.4" to "!ip.addr == 1.2.3.4".

--john



--
John McDermott, CPLP, CCP
Learning and Performance Consultant
jjm at jkintl.com        www.jkintl.com
V: +1 575/377-6293  Please call for fax access.