Hi,
In this discussion you miss the tunneled protocols, or messages like ICMP
Thanx,
Jaap
Stig Bjørlykke wrote:
2008/1/29, Sake Blok <sake@xxxxxxxxxx>:
I would vote for a preference value that defaults to make
ip != 10.0.0.1 result in !(ip.addr==10.0.0.1).
For most of the fields in Wireshark we need the "x!=y" and "!(x==y)"
operators as they are, exactly because they have different behavior.
I do not want to change this.
The problem, as I see it, is the combined fields which matches two
different fields, like ip.addr, tcp.port, udp.port and probably some
others, where the user has other expectations how they work. So I
think we shall focus on them and not the operators.
When I think of ip.addr I'm thinking "they", as in ip.src and ip.dst.
When I write ip.addr != 10.0.0.1 I'm thinking "they shall not be
10.0.0.1", as in none of them. This is because the field matches two
different fields I want to filter out. The same goes with LT and GT.
Our combined fields should be marked as combined (in the source), and
only this fields should be handled differently, or simply just give a
warning to the user why they will not work as expected.
But does it make the functionality difficult to understand or describe
correctly?