Wireshark-dev: Re: [Wireshark-dev] ip.addr != (Guy Harris)
From: "yin sun" <[email protected]>
Date: Tue, 29 Jan 2008 10:01:15 -0500
then the next step could be adding "...!=..." operator back to be equivalent to "!(...)".


On Jan 29, 2008 3:55 AM, Jaap Keuter <[email protected]> wrote:

Well, still not that warm fuzzy feeling about it. I'll give you
something to think about.

The whole discussion focuses on the use of the != operator, which is the
 NE operator. We'll need to consider that the same discussion can be
held for the LT, LE, GT and GE operators. Imagine this storyline:
"I want only the packets with addresses not in my managment lan, so
above When I use ip.addr > I still get
packets from and to my management LAN".
Basically the same problem here, although not reported (and probably not
encountered) as frequently.

Another thing is that dfilter expressions become a dialect depending on
the place (Wireshark configuration file instance) it runs. That is
between different users, but also between configuration file sets, as
were recently introduced.

May I offer a different proposal, based on a former colleague's bug
solving method. Since we have two (three actually) ways of expressing
Not Equal, being "!(...)" and ".. != .." and ".. NE ..", why not drop
support for the ".. != .." (and ".. NE ..") ?

This solution has the following advantages:
* It removes code i.s.o. adding hooks in the grammer.lemon or semcheck.c
or where ever this warning comes from.
* It shifts the use of the unwanted ".. != .." aways to the desired "!(..)".
* The syntax (error) becomes apparent when editing the _expression_, not
when applying it.
* We could even keep ".. NE .." around for the power users.
This solution has the following disadvantages:
* It drops an operator where people are used to.
* Display filter generators may need to be changed
* Color display filters may become invalid.


Sake Blok wrote:
> On Tue, Jan 29, 2008 at 10:05:27AM +0900, Kenichi Okuyama wrote:
>> Sorry to interrupt you. I simply want to make sure. You mean, in
>> current implementation:
>> a) ( ip.addr == ) means (( ip.src == )||( ip.dst == )).
>> b) ( ip.addr != ) means (( ip.src != )||( ip.dst != ))
>>  which stands for   !(( ip.src == )&&( ip.dst == ))
>>  ( which means "ignore if both src and dst are" )
>> c) !ip.addr == means ( !( ip.addr == ))
>>     which stands for ( !(( ip.src == )||( ip.dst == )))
>>     which stands for ( ip.src != )&&( ip.dst != )
> Yes, a, b and c are correct.
>> I do agree about b) being very confusing. I was trapped by this syntax
>> only a week ago. It took me very long before I figured out what was
>> happening.
> That's what started this discussion, there are a lot of questions
> on the mailinglists about why != doesn't work like expected.
> I would vote for a preference value that defaults to make
> ip != result in !(ip.addr==
> It would be best to create a pop-up when the user uses the != operator
> the first time (after upgrading Wireshark) telling them about the
> difference and where they can change back it back to the old behaviour.
> Even the warning window itself should have a "don't show this
> message again" checkbox
> Stig, Ulf, Guy, Jaap, what do you think of such a compromise?
> Cheers,
>     Sake

Wireshark-dev mailing list
[email protected]

<img src="" href="http://ed2k.selfip.org/favicon.gif">http://ed2k.selfip.org/favicon.gif"/>