Wireshark-dev: Re: [Wireshark-dev] ip.addr != 10.0.0.1 (Guy Harris)
From: Sake Blok <[email protected]>
Date: Tue, 29 Jan 2008 09:02:54 +0100
On Tue, Jan 29, 2008 at 10:05:27AM +0900, Kenichi Okuyama wrote:
>
> Sorry to interrupt you. I simply want to make sure. You mean, in
> current implementation:
> 
> a) ( ip.addr == 1.2.3.4 ) means (( ip.src == 1.2.3.4 )||( ip.dst == 1.2.3.4 )).
> 
> b) ( ip.addr != 1.2.3.4 ) means (( ip.src != 1.2.3.4 )||( ip.dst != 1.2.3.4 ))
>  which stands for   !(( ip.src == 1.2.3.4 )&&( ip.dst == 1.2.3.4 ))
>  ( which means "ignore if both src and dst are 1.2.3.4" )
> 
> c) !ip.addr == 1.2.3.4 means ( !( ip.addr == 1.2.3.4 ))
>     which stands for ( !(( ip.src == 1.2.3.4 )||( ip.dst == 1.2.3.4 )))
>     which stands for ( ip.src != 1.2.3.4 )&&( ip.dst != 1.2.3.4 )

Yes, a, b and c are correct.

> I do agree about b) being very confusing. I was trapped by this syntax
> only a week ago. It took me very long before I figured out what was
> happening.

That's what started this discussion, there are a lot of questions
on the mailinglists about why != doesn't work like expected.

I would vote for a preference value that defaults to make
ip != 10.0.0.1 result in !(ip.addr==10.0.0.1).

It would be best to create a pop-up when the user uses the != operator
the first time (after upgrading Wireshark) telling them about the
difference and where they can change back it back to the old behaviour.
Even the warning window itself should have a "don't show this
message again" checkbox

Stig, Ulf, Guy, Jaap, what do you think of such a compromise?

Cheers,
    Sake