Title: RE: [Ethereal-dev] Filter expressions for exclusion
This is all good to know. I was expecting the filter language to work the same way as it does in other places where those symbols are used, such as in C, and in mathematics. I was expecting "!(tcp.port == 10)" to be identical in function to "tcp.port != 10", as they would be in C or mathematics.
BTW: I tested your statement about "tcp.port != 10":
"You will get packets where source port is 10, or destination port is 10, or where neither of them are 10 but the TCP packets where both of them are 10 will not be included."
... and I found it to be true. I think it's silly, however, because it doesn't actually filter out ANY packets other than non-TCP ones, and those which have a source AND destination port of 10. That may not be what's being asked for. In my opinion, "source OR destination port of 10" is more correct.
If I say: "ip.addr != 10.10.1.27", I expect not to see any packets where the source OR the destination addresses are 10.10.1.27. Yet they remain. Note that this is NOT how it works in a capture filter, where "host not 10.10.1.27" actually produces what I expect: No packets which were to OR from host 10.10.1.27.
I find this filter language to be counter-intuitive. I think it should filter exactly what you ask it to, and nothing else. If I ask for TCP port 10 packets to be filtered out, I don't want non-TCP packets filtered out. I didn't ask for that. I consider each term to be independent, unless I combine them with operators. I think statements which appear to be equivalent or reflexive, should actually be that way. One shouldn't have to unlearn their C or mathematics in order to understand this.
I realize this would make the code which does filtering more complex, because "tcp.port != 10" would have to be tested as "IF the packet contains a TCP frame, AND the port is equal to 10, THEN filter it out." It doesn't have to be that complex internally. If the filtering language is complete, then the user side of the language can be mathematically and intuitively correct. All that is needed is to translate what is asked for into an internal filter that does what is asked for. For example, "tcp.port != 10" would be changed internally to "!(tcp.port == 10)". The two don't even have to be the same language.
Don't simplify the internal code at the expense of the completeness or the correctness of the external filtering language.
-----Original Message-----
From: Martin Regner [mailto:martin.regner@xxxxxxxxx]
Sent: Saturday, December 28, 2002 8:34 AM
To: Chris Waters; EtherealDev
Subject: Re: [Ethereal-dev] Filter expressions for exclusion
Chris Waters wrote:
>Hi,
>
>It seems to me that one aspect of Ethereal filtering is non-intuitive, and
>also unnecessary. Consider the following filter:
>
>tcp.port != 10
>
>At first glance it appears that the purpose of the filter is to exclude all
>packets where the TCP port is 10. However this _expression_ will also exclude
>all non-TCP packets, which was probably not the intent of the person that
>wrote the filter.
>
>In any filter referring to a field 'protocol.field' it appears that their is
>an implicit 'and protocol' added to the _expression_. This is very confusing.
>Is it necessary, or desirable?
I think it works as it should (at least more or less).
However I think that the documentation could be improved.
For filters with "tcp.port" (and similar for "ip.addr" etc.) there might be some extra confusion since there is both a source port (tcp.srcport) and a destination port (tcp.dstport) in a TCP packet and then the results can be different than you expect if you are not careful when preparing the filter.
!(tcp.port == 10)
will filter out TCP packets where the source and/or destination port is not equal to 10,
but also non-TCP packets (UDP, ARP, ...)
tcp.port != 10
will filter out only TCP packets - where both source and destination port numbers are not 10.
You will get packets where source port is 10, or destination port is 10, or where neither of them are 10
but the TCP packets where both of them are 10 will not be included.
tcp and !(tcp.port ==10)
will filter out only TCP packets - where destination and/or source port numbers are not 10.
I hope I got it right. I'm not completely sure, and I didn't have any good captures to experiment with right now.
_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev
