On Sun, May 23, 2004 at 03:29:05PM +0100, Keith French wrote:
> > I am trying to construct a display filter to remove all traffic to and
> > from a particular IP address, but all things I try do not work. What I
> > have tried is:-
> >
> > not ip.addr eq 10.10.10.10
> > not (ip.addr eq 10.10.10.10)
> > !(ip.addr eq 10.10.10.10)
> > ip.addr ne 10.10.10.10
>
> That's odd, as "not (ip.addr eq XXX.XXX.XXX.XXX)" worked for me (it's
> equivalent to "!(ip.addr eq XXX.XXX.XXX.XXX)"). I assume that "not
> (ip.addr eq 10.10.10.10)" either caused packets to or from 10.10.10.10
> to be displayed or caused packets neither to nor from 10.10.10.10 not to
> be displayed - which of those, or both, is the case?
I've just seen this behavior (or something very similar) with a CVS
build from yesterday. ip.add != 10.100.128.81 doesn't properly filter
out the traffic from that address.
> What I have found is that if I filter on:-
>
> not ether.addr MAC Address
>
> it does get rid of the traffic. Some of the packets are broadcasts such as NBNS, but surely that is a layer 3 broadcast, not layer 2?.
ip.src != 10.100.128.81 && ip.dst != 10.100.128.81
works properly, so it's not a layer issue. There seems to be something
wrong with the ip.addr filter.
I also noticed a *very* annoying bug where if you have a filter such as
ip.addr.src != 10.100.128.81, which is incorrect syntax, and you click
at the end of ip.addr.src and start backspacing, when you hit the last
"." (i.e. the filter becomes correct,) the cursor jumps to the very end
of the filter. So if you wanted to change ip.addr.src to ip.src, you
end up with ip.addr != 10.100.12 if you are not paying attention.
--
GPG public key:
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x9D5B8762
