Wireshark-dev: Re: [Wireshark-dev] ip.addr != 10.0.0.1 (Guy Harris)
From: "Kenichi Okuyama" <[email protected]>
Date: Wed, 30 Jan 2008 10:55:59 +0900
Hi,

2008/1/30, Sake Blok <[email protected]>:
> I think the idea of a pop-up explaining the way the operator
> "!=" works on fields with multiple occurences in one packet is
> a good way to educate people. But only if there is an option
> to "Don't show me this message again" :-)

I'll vote on this idea.
But I think we really need help/manual document updated too.


> Oh, we also would need to write a very nice compact, easy
> to understand message. With of course a link for some more
> background and examples to the Wiki.

I think describing equivalent formula will do ( 4 lines? ):

ip.addr == a   ≡ ( ip.src == a )||( ip.dst == a )
ip.addr !=  a   ≡ ( ip.src !=  a )||( ip.dst != a )
!( ip.addr == a ) ≡ ( ip.src != a )&&( ip.dst != a )
!( ip.addr !=  a ) ≡ ( ip.src == a )&&( ip.dst == a )



... Hmmm, I think making ( ip.addr != a ) equivalent to ! ( ip.addr == a )
is not a good idea. That will ruin the Collectively Exhaustiveness of
current implementation about "ip.addr".

If we are to keep CE-ness of the operations and yet make ( ip.addr != a )
equivalent to !( ip.addr == a ), I think we need some way to describe
( ip.src == a )&&( ip.dst == a )  using ip.addr, like ... ( ip.addr === a )?
# and ( ip.addr !== a ) ≡ ( ip.src !=  a )||( ip.dst != a )

Rather, I'll vote on keeping != as is.


Many people are confused with how != works because
( ip.src != a )&&( ip.dst != a ) is the second most frequently used filter
pattern. Good documents will decrease this confusion.

best regards,
-- 
奥山 健一(Kenichi Okuyama) [煤背会: No. 0x00000001]
URL: http://www.dd.iij4u.or.jp/~okuyamak/
     http://developer.osdl.jp/projects/doubt/