Wireshark · Ethereal-users: Re: [Ethereal-users] Display Filter to Remove an IP Address

Ethereal-users: Re: [Ethereal-users] Display Filter to Remove an IP Address

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>

Date: Sun, 23 May 2004 12:46:03 -0700

On Sun, May 23, 2004 at 07:40:17AM -0700, Jerry Talkington wrote:
> I've just seen this behavior (or something very similar) with a CVS
> build from yesterday.  ip.add != 10.100.128.81 doesn't properly filter
> out the traffic from that address.

"ip.addr != 10.100.128.81" means "packet has an 'ip.addr' value equal to
something other than 10.100.128.81"; a packet from 10.100.128.81, unless
it's being sent from the machine to itself, has an "ip.addr" value equal
to something other than 10.100.128.81 - the address it's sent to.

"not (ip.addr eq 10.100.128.81)", however, means "packet does not have
an 'ip.addr' value equal to 10.100.128.81", which is not the same as
"packet has an 'ip.addr' value equal to something other than
10.100.128.81", because IPv4 packets normally have at least two
"ip.addr" values - the from address and the to address.

So "ip.addr != 10.100.128.81" won't filter out all traffic to or from
10.100.128.81 (unless all that traffic is from 10.100.128.81 to
10.100.128.81) - but "not (ip.addr eq 10.100.128.81)" will.

Follow-Ups:
- Re: [Ethereal-users] Display Filter to Remove an IP Address
  - From: Joerg Mayer

References:
- [Ethereal-users] Display Filter to Remove an IP Address
  - From: Keith French
- Re: [Ethereal-users] Display Filter to Remove an IP Address
  - From: Jerry Talkington

Prev by Date: Re: [Ethereal-users] How to capture the NetBIOS data over 802.2 network
Next by Date: Re: [Ethereal-users] Display Filter to Remove an IP Address
Previous by thread: Re: [Ethereal-users] Display Filter to Remove an IP Address
Next by thread: Re: [Ethereal-users] Display Filter to Remove an IP Address
Index(es):
- Date
- Thread