Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Ethereal-dev: [Fwd: Re: [Ethereal-dev] Filter expressions for exclusion]

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "John McDermott" <jjm@xxxxxxxxxx>
Date: Tue, 31 Dec 2002 07:52:31 -0700
Esh, Andrew wrote:
 >
 > BTW: I tested your statement about "tcp.port != 10":
 >
 > "You will get packets where source port is 10, or destination port is
 > 10, or where neither of them are 10 but the TCP packets where both of
 > them are 10 will not be included."
 >
 > ... and I found it to be true. I think it's silly, however, because it
 > doesn't actually filter out ANY packets other than non-TCP ones, and
 > those which have a source AND destination port of 10. That may not be
 > what's being asked for. In my opinion, "source OR destination port of
 > 10" is more correct.

Then that is what you should ask for.  The expression:
	tcp.srcport != 10 && tcp.dstport != 10
is what you are asking for, isn't it?

tcp.port is, is suppose, special (along with ip.addr, etc).  It is "any
tcp port".  It is generally used with tcp.port == 80, for example, to
select all http traffic.  In this case tcp.port op value means
tcp.srcport op value OR tcp.dstport op value.  If you want AND you need
to ask for it.  I agree that in the != case it is possibly confusing, but
in the == case it is a wonderful thing.

 >
 > If I say: "ip.addr != 10.10.1.27", I expect not to see any packets where
 > the source OR the destination addresses are 10.10.1.27. Yet they remain.
 > Note that this is NOT how it works in a capture filter, where "host not
 > 10.10.1.27" actually produces what I expect: No packets which were to OR
 > from host 10.10.1.27.

Again, it is very intuitive for the == case.  The question is, I suppose,
should the filter language use AND for the != case and OR for the ==
case?  I am not sure that I want the filter language doing different
things like this, trying to second guess me. (In fact, I'm fairly sure I
do not. I believe filters shouldn't do things I don't ask for.)

 >
 > If I ask for TCP
 > port 10 packets to be filtered out, I don't want non-TCP packets
 > filtered out.

OK.  I have to agree here.  I think 'tcp.port==80' should mean "tcp
packets with source or destination ports with a value of 80' (as it
does), but by the "filters shouldn't do things I don't ask for" rule,
"tcp.port != 80" should not imply tcp packets.  I'm sorry to disagree
with Guy, but if a packet does not have a TCP port, its tcp.port value is
not 80 (it is undefined) and therefore it should match the expression.

--john

--
John McDermott
Writer, Educator, Consultant
jjm@xxxxxxxxxx		http://www.jkintl.com
V +1 505/377-6293 F +1 505/377-6313
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube