Hi,
I agree with you that the filters work correctly, in that (AFAIK) it is
possible to construct a filter which will achieve the purpose that you
intend. Once I read the documentation carefully (it took three readings to
pick up this subtlety) it seems to me that the documentation is also
complete and correct. The issue I am raising is that the default behavior is
non-intuitive and I would guess that it has been the cause of
head-scratching for most Ethereal users.
Overall the filter expressions are very easy to use. A quick skim of the
documentation the first time I used Ethereal was all I needed to start
writing filters. However, until someone else brought it to my attention
recently, I had no idea that all of the filters I had written that use '!='
are actually excluding more packets than I intended.
Would there be any loss in generality of filters if there wasn't an implicit
'and protocol' term?
Regards,
Chris.
----- Original Message -----
From: "Martin Regner" <martin.regner@xxxxxxxxx>
To: "Chris Waters" <chris.waters@xxxxxxxxxxxxxxxxxxxx>; "EtherealDev"
<ethereal-dev@xxxxxxxxxxxx>
Sent: Saturday, December 28, 2002 6:33 AM
Subject: Re: [Ethereal-dev] Filter expressions for exclusion
> Chris Waters wrote:
>
> >Hi,
> >
> >It seems to me that one aspect of Ethereal filtering is non-intuitive,
and
> >also unnecessary. Consider the following filter:
> >
> >tcp.port != 10
> >
> >At first glance it appears that the purpose of the filter is to exclude
all
> >packets where the TCP port is 10. However this expression will also
exclude
> >all non-TCP packets, which was probably not the intent of the person that
> >wrote the filter.
> >
> >In any filter referring to a field 'protocol.field' it appears that their
is
> >an implicit 'and protocol' added to the expression. This is very
confusing.
> >Is it necessary, or desirable?
>
>
> I think it works as it should (at least more or less).
> However I think that the documentation could be improved.
>
> For filters with "tcp.port" (and similar for "ip.addr" etc.) there might
be some extra confusion since there is both a source port (tcp.srcport) and
a destination port (tcp.dstport) in a TCP packet and then the results can be
different than you expect if you are not careful when preparing the filter.
>
> !(tcp.port == 10)
> will filter out TCP packets where the source and/or destination port is
not equal to 10,
> but also non-TCP packets (UDP, ARP, ...)
>
> tcp.port != 10
> will filter out only TCP packets - where both source and destination port
numbers are not 10.
> You will get packets where source port is 10, or destination port is 10,
or where neither of them are 10
> but the TCP packets where both of them are 10 will not be included.
>
> tcp and !(tcp.port ==10)
> will filter out only TCP packets - where destination and/or source port
numbers are not 10.
>
> I hope I got it right. I'm not completely sure, and I didn't have any good
captures to experiment with right now.
>
>
