Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] ip.addr != 10.0.0.1

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sun, 27 Jan 2008 12:45:13 -0800
Jaap Keuter wrote:

I'm very much opposed to it. Boolean logic can be a somewhat tricky, but when you master the math it becomes a powerful tool.

(Actually, it's more like propositional calculus vs. predicate calculus; a filter expression "{field} {comparison} {value}" means

there exists an instance of {field} such that {value of that instance} {comparison} {value}

and the negation of that isn't

there exists an instance of {field} such that {value of that instance} {not-comparison} {value}

which would be

	{field} {not-comparison} {value}

isn't the negation, the negation is

for all instances of {field}, {value of that instance} {not-comparison} {value}

which would be

	!({field} {comparison} {value})

.)

But, yes, special-casing some fields would, I think, be the wrong answer.

I think a better answer might be to add syntax similar to capture fiters, so that if you want all packets to or from "foo", you can say "host foo" for which the negation is more obviously "not host foo".