On Fri, Jun 29, 2007 at 03:38:49PM +0900, Mitsuho Iizuka wrote:
>
> > Secondly, you need to change your filter string. The filter
> > "tcp.port != 1035 && tcp.port != 1036" means "look for a packet
> > where EITHER tcp.port does not equal 1035 AND EITHER tcp.port does
> > not equal 1036". The correct filter would be:
> > "!( tcp.port == 1035 || tcp.port == 1036 )" which means "look for
> > a packet that does not match EITHER tcp.port equals 1035 nor EITHER
> > tcp.port equals 1036.
> >
> > Have a look at "http://wiki.wireshark.org/DisplayFilters"; (especially
> > the paragraph "Gotchas").
>
> It seems they are equivalent according to the welknown mathematics
> formula ?
>
> !(A U B) = (!A && !B).
>
> It was long before. Anyway I have a simple packet dump now.
>
> I looked at above Gotchas. But Gotchas paragraph seems to describe
> a different context.
Yes, the example uses a different field (ip.addr), but the context
is the same. Since there are two tcp ports in a packet, the filter
tcp.port!=x is actually replaced by "(tcp.srcport!=x or tcp.dstport!=x)".
This breaks the logic !(A U B) = (!A && !B):
(tcp.port!=A && tcp.port!=B) =
((tcp.srcport!=A U tcp.dstport!=A) && (tcp.srcport!=B U tcp.dstport!=B)) =
(!(!tcp.srcport!=A && !tcp.dstport!=A) && !(!tcp.srcport!=A && !tcp.dstport!=A) ) =
(!(tcp.srcport==A && tcp.dstport==A) && !(tcp.srcport==B && tcp.dstport==B)) =
!(tcp.srcport==A && tcp.dstport==A && tcp.srcport==B && tcp.dstport==B) =
!((tcp.srcport==A && tcp.srcport==B) && (tcp.dstport==A && tcp.dstport==B)) =
!(FALSE && FALSE) =
!FALSE =
TRUE
So actually your filter would match all the packets in the trace ;-)
It can be a bit confusing indeed :)
Cheers,
Sake