Wireshark · Ethereal-dev: Re: [Ethereal-dev] No further comments on the 'User's guide'preview?!?

["Guy Harris" <gharris@xxxxxxxxx>]

Olivier Biot said:
> There is one important thing to remember with display filter
> expressions. Whenever a protocol field appears in a filter expression,
> an implicit "exists" test is performed. This means that an expression
> like "ip.addr != 1.2.3.4" does *not* do what you would expect from it.
> Instead, that expression will even be true for packets where either
> source or destination IP address equal "1.2.3.4".

Yes, there's an implicit "exists" test (if no "ip.addr" field exists, it's
somewhat hard to test its value), but, as you note, the "ip.addr" problem
is due to there being more than one "ip.addr" field in a packet (or, at
least, a packet that has enough of an IP header to have both address
fields), not due to the implicit "exists" test.

"ip.src != 1.2.3.4" would probably do what most people would expect it to
do, because there'd be only one "ip.src" field (absent any form of
tunneling so that the packet has *two* IP headers).

The implicit "exists" test is why just replacing "ip.addr != 1.2.3.4" with
"!(ip.addr == 1.2.3.4)" won't do what people would want here, either, so
you have to put in "ip &&" to filter out packets with *no* IP address
(although technically the "right" expression would be "ip.addr &&
!(ip.addr == 1.2.3.4)").