Wireshark-users: Re: [Wireshark-users] Question on filtering

From: Mark <mark4246@xxxxxxxxx>
Date: Fri, 20 Jun 2008 17:05:53 -0700
Hello,

Below is an exmpale.  The whole string works great until I add the "and no IGMP" when I do that the rest of the statement returns, meaning its not filtered.
 
not arp and not dns and not ip.addr==10.5.50.62 and not ip.addr==10.5.50.255 and no IGMP
 
 
 
Thanks,9, 2008 at 1:31 PM, DePriest, Jason R. <jrdepriest@xxxxxxxxx> wrote:
On Thu, Jun 19, 2008 at 9:23 PM, Mark <mark4246@xxxxxxxxx> wrote:
> Hello,
>
> What is the main difference between 'and' and 'or'?  I am trying to filter
> out many different things like one particular IP addr, a certain protocol
> such as DNS and NBNS and ARP etc.  It seems like when I add multiple entries
> into a filter some appear again and I am sure its due to the 'and' or the
> 'or' usage.
>
> Thanks,
>
> Mark

Hello.  The question you ask is difficult to answer in a way that will
help you without some examples.

'and' means that both values have to be true and 'or' means at least
one of the values has to be true

true and true = true
true and false = false
false and true = false
false and false = false

true or true = true
true or false = true
false or true = true
false or false = false

Can you mock up some examples based on your experience of what you
*are* getting and what you *want* to get?

-Jason
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users