Hi All,
Hmmm... although some good ideas have been raised, they all had
their disadvantages. Basically I think the way the filters work
is fine for people who get used to the way the filters work. It
is just a steep learning curve where the information needed to
learn to use the display filter syntax on fields that have
multiple occurences in one packet.
So, if we need to stick to the current behaviour (which I have
become a favorite off by now), why not try to educate the user
from within Wireshark instead of from the external sources like
the Wiki and the Mailinglists.
I think the idea of a pop-up explaining the way the operator
"!=" works on fields with multiple occurences in one packet is
a good way to educate people. But only if there is an option
to "Don't show me this message again" :-)
If we agree on this approach, all we have to do is decide in
which cases the pop-up should be shown. Which is a whole new
discussion :-)
Some random thoughts:
a) Every time "!=" is used, just to educate the user up
front. But I think the learning experience only kicks
in when the user can see the bad behaviour. And this would
not happen on all the fields that only have one occurence
in every packet.
b) Only show the message when the field that is used with
the "!=" operator actually does occur mulptiple times in
one of the packets in the trace file. This however would
mean a big degradation in performance.
c) Only on when "ip.addr != xxx", "tcp.port != xxx" or
"udp.port != xxx" is typed as a filter. The idea is that
this is probable the first occurence of "!=" the user
will try on a field with multiple occurences in one
packet. This might be a good compromise...
Oh, we also would need to write a very nice compact, easy
to understand message. With of course a link for some more
background and examples to the Wiki.
Cheers,
Sake