Heya, I'm having a bit of trouble getting display filters to work correctly.
Basically, here's the English translation of what I want to do: "Display all
packets sourced from or destined to 192.168.0.11, that are NOT sourced or
destined to 205.231.82.69 and are NOT sourced or destined to 205.231.82.42."
((ip.addr eq 192.168.0.11) and (ip.addr ne 205.231.82.69 and ip.addr ne
205.231.82.42)) was my first attempt. It did not do what I wanted it to --
it included the proper set of packets from 192.168.0.11, but did not exclude
either of the 205.* addresses that I wanted to exclude.
Okay, no problem -- I look up ip.addr in the documentation and see that it's
defined as "if either the source or destination of the packet is <ip>" --
okay, so it looks like it could be having a problem with the precedence of
the OR logic. Next attempt:
((ip.addr eq 192.168.0.11) and (ip.src ne 205.231.82.69 and ip.dst ne
205.231.82.69) and (ip.src ne 205.231.82.42 and ip.dst ne 205.231.82.42))
Again, it failed to do what I wanted it to (the addresses 205.231.82.42 and
205.231.82.69 still showed up in the display).
I've also tried putting '!=' instead of 'ne' in the above expressions, with
no increase in viability.
Does anyone have a syntax that might work for what I want it to do? Thanks!
-Mat Butler
