Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] ip.addr != 10.0.0.1

From: Ulf Lamping <ulf.lamping@xxxxxx>
Date: Sun, 27 Jan 2008 21:45:38 +0100
Jaap Keuter schrieb:
Stig Bjørlykke wrote:
Hi.

We often get questions why the filter "ip.addr != 10.0.0.1" does not
work as expected.

Is it a good idea to make some sort of special handling for filters
like "ip.addr", "tcp.port" and "udp.port" to expand to the commonly
expected behavior?

I'm very much opposed to it. Boolean logic can be a somewhat tricky, but when you master the math it becomes a powerful tool. Wireshark is a powetool. Therefor we have to educate the users, by teaching them how to use it. The Wiki is a good place, and can always be improved upon, so it can be the primary reference to the subject.
I perfectly agree that I don't like to sacrifice the filter engine for such cases.

But unfortunately you are missing the point here.

The problem here is ip.addr and the Wireshark way filtering deals with the usual two appearances of the IP address in a packet.

There's really no indication to a user that "ip.addr != 10.0.0.1" won't work the way expected and simply saying "the user has to read the wiki before he can use our software" is very poorly in terms of usability. We as the developers know that a lot of people have a problem here and simply ignoring users problems is - well - just bad and nothing else.

As I've written in my other mail, I would expect a dialog box in this case, saying something like "ip.addr != 10.0.0.1 is very certainly not what you want! Should I filter !(ip.addr == 10.0.0.1) instead, which results in ...".

Regards, ULFL