Re: [Wireshark-dev] ip.addr != 10.0.0.1 (Guy Harris)

Stephen Fisher wrote: > On Thu, Jan 31, 2008 at 11:52:11AM -0800, Gerald Combs wrote: >> Stig Bjørlykke wrote: >>> 2008/1/30, Gerald Combs <[EMAIL PROTECTED] >>> >: >>> >>> The attached patch warns the user about "!=" and "ne" by coloring >>> the filter >>> en

Re: [Wireshark-dev] ip.addr != 10.0.0.1 (Guy Harris)

And its probably not such a good idea to use ip.addr as example for the != operator in the users guide: http://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.html -- Stig Bjørlykke ___ Wireshark-dev mailing list Wireshark

Re: [Wireshark-dev] ip.addr != 10.0.0.1 (Guy Harris)

On Thu, Jan 31, 2008 at 11:52:11AM -0800, Gerald Combs wrote: > Stig Bjørlykke wrote: > > 2008/1/30, Gerald Combs <[EMAIL PROTECTED] > > >: > > > > The attached patch warns the user about "!=" and "ne" by coloring > > the filter > > entry yellow and adding a

Re: [Wireshark-dev] ip.addr != 10.0.0.1 (Guy Harris)

Stig Bjørlykke wrote: > 2008/1/30, Gerald Combs <[EMAIL PROTECTED] > >: > > The attached patch warns the user about "!=" and "ne" by coloring > the filter > entry yellow and adding a message to the status bar any time either > of those > tokens are pr

Re: [Wireshark-dev] ip.addr != 10.0.0.1 (Guy Harris)

2008/1/30, Gerald Combs <[EMAIL PROTECTED]>: > > The attached patch warns the user about "!=" and "ne" by coloring the > filter > entry yellow and adding a message to the status bar any time either of > those > tokens are present. It's a bit less obtrusive than popping up a dialog. > Yes, this is

Re: [Wireshark-dev] ip.addr != 10.0.0.1 (Guy Harris)

Hi, 2008/1/30, Sake Blok <[EMAIL PROTECTED]>: > I think the idea of a pop-up explaining the way the operator > "!=" works on fields with multiple occurences in one packet is > a good way to educate people. But only if there is an option > to "Don't show me this message again" :-) I'll vote on thi

Re: [Wireshark-dev] ip.addr != 10.0.0.1 (Guy Harris)

Sake Blok wrote: I think the idea of a pop-up explaining the way the operator "!=" works on fields with multiple occurences in one packet is a good way to educate people. But only if there is an option to "Don't show me this message again" :-) The attached patch warns the user about "!=" and "

Re: [Wireshark-dev] ip.addr != 10.0.0.1 (Guy Harris)

Hi All, Hmmm... although some good ideas have been raised, they all had their disadvantages. Basically I think the way the filters work is fine for people who get used to the way the filters work. It is just a steep learning curve where the information needed to learn to use the display filter s

Re: [Wireshark-dev] ip.addr != 10.0.0.1 (Guy Harris)

Hi, In this discussion you miss the tunneled protocols, or messages like ICMP Thanx, Jaap Stig Bjørlykke wrote: > 2008/1/29, Sake Blok <[EMAIL PROTECTED]>: >> I would vote for a preference value that defaults to make >> ip != 10.0.0.1 result in !(ip.addr==10.0.0.1). > > For most of the fields i

Re: [Wireshark-dev] ip.addr != 10.0.0.1 (Guy Harris)

2008/1/29, Sake Blok <[EMAIL PROTECTED]>: > I would vote for a preference value that defaults to make > ip != 10.0.0.1 result in !(ip.addr==10.0.0.1). For most of the fields in Wireshark we need the "x!=y" and "!(x==y)" operators as they are, exactly because they have different behavior. I do not

Re: [Wireshark-dev] ip.addr != 10.0.0.1

On Tue, 29 Jan 2008 05:01:13 -0700, Jaap wrote: > > May I offer a different proposal, based on a former colleague's bug > solving method. Since we have two (three actually) ways of expressing > Not Equal, being "!(...)" and ".. != .." and ".. NE ..", why not drop > support for the ".. != .." (and

Re: [Wireshark-dev] ip.addr != 10.0.0.1 (Guy Harris)

then the next step could be adding "...!=..." operator back to be equivalent to "!(...)". /sunyin On Jan 29, 2008 3:55 AM, Jaap Keuter <[EMAIL PROTECTED]> wrote: > Hi, > > Well, still not that warm fuzzy feeling about it. I'll give you > something to think about. > > The whole discussion focuses

Re: [Wireshark-dev] ip.addr != 10.0.0.1 (Guy Harris)

Hi, Well, still not that warm fuzzy feeling about it. I'll give you something to think about. The whole discussion focuses on the use of the != operator, which is the NE operator. We'll need to consider that the same discussion can be held for the LT, LE, GT and GE operators. Imagine this st

Re: [Wireshark-dev] ip.addr != 10.0.0.1 (Guy Harris)

On Tue, Jan 29, 2008 at 10:05:27AM +0900, Kenichi Okuyama wrote: > > Sorry to interrupt you. I simply want to make sure. You mean, in > current implementation: > > a) ( ip.addr == 1.2.3.4 ) means (( ip.src == 1.2.3.4 )||( ip.dst == 1.2.3.4 > )). > > b) ( ip.addr != 1.2.3.4 ) means (( ip.src != 1

Re: [Wireshark-dev] ip.addr != 10.0.0.1 (Guy Harris)

Dear John, Sorry to interrupt you. I simply want to make sure. You mean, in current implementation: a) ( ip.addr == 1.2.3.4 ) means (( ip.src == 1.2.3.4 )||( ip.dst == 1.2.3.4 )). b) ( ip.addr != 1.2.3.4 ) means (( ip.src != 1.2.3.4 )||( ip.dst != 1.2.3.4 )) which stands for !(( ip.src == 1.2

Re: [Wireshark-dev] ip.addr != 10.0.0.1 (Guy Harris)

On Mon, 28 Jan 2008 05:01:01 -0700, <[EMAIL PROTECTED]> wrote: ip.addr == 1.2.3.4 means "show me only packets where the address 1.2.3.4 appears in *some* IP header" ip.addr != 1.2.3.4 means "show me only packets where the address in some IP header is not 1.2.3.4" > Is there any known case w

Re: [Wireshark-dev] ip.addr != 10.0.0.1

On Sun, Jan 27, 2008 at 09:23:40PM +0100, Jaap Keuter wrote: > Stig Bj??rlykke wrote: > > > > We often get questions why the filter "ip.addr != 10.0.0.1" does not > > work as expected. > > > > Is it a good idea to make some sort of special handling for filters > > like "ip.addr", "tcp.port" and "

Re: [Wireshark-dev] ip.addr != 10.0.0.1

Ulf Lamping wrote: > As far as I understand the problem, this applies to any what I would > call "combined fields" like ip.addr being a combination of source and > (or) destination address. It applies to any field that can appear more than once in a packet. "combined fields" are one example, a

Re: [Wireshark-dev] ip.addr != 10.0.0.1

Guy Harris schrieb: > Ulf Lamping wrote: > >> As I've written in my other mail, I would expect a dialog box in this >> case, saying something like "ip.addr != 10.0.0.1 is very certainly not >> what you want! Should I filter !(ip.addr == 10.0.0.1) instead, which >> results in ...". >> > T

Re: [Wireshark-dev] ip.addr != 10.0.0.1

Ulf Lamping wrote: > As I've written in my other mail, I would expect a dialog box in this > case, saying something like "ip.addr != 10.0.0.1 is very certainly not > what you want! Should I filter !(ip.addr == 10.0.0.1) instead, which > results in ...". That applies to *any* field when you do

Re: [Wireshark-dev] ip.addr != 10.0.0.1

Jaap Keuter schrieb: > Stig Bjørlykke wrote: > >> Hi. >> >> We often get questions why the filter "ip.addr != 10.0.0.1" does not >> work as expected. >> >> Is it a good idea to make some sort of special handling for filters >> like "ip.addr", "tcp.port" and "udp.port" to expand to the commonly >

Re: [Wireshark-dev] ip.addr != 10.0.0.1

Jaap Keuter wrote: > I'm very much opposed to it. Boolean logic can be a somewhat tricky, but > when you master the math it becomes a powerful tool. (Actually, it's more like propositional calculus vs. predicate calculus; a filter expression "{field} {comparison} {value}" means there e

Re: [Wireshark-dev] ip.addr != 10.0.0.1

Stig Bjørlykke wrote: > Hi. > > We often get questions why the filter "ip.addr != 10.0.0.1" does not > work as expected. > > Is it a good idea to make some sort of special handling for filters > like "ip.addr", "tcp.port" and "udp.port" to expand to the commonly > expected behavior? > Hi, I'm

Re: [Wireshark-dev] ip.addr != 10.0.0.1

Stig Bjørlykke schrieb: > Hi. > > We often get questions why the filter "ip.addr != 10.0.0.1" does not > work as expected. > > Is it a good idea to make some sort of special handling for filters > like "ip.addr", "tcp.port" and "udp.port" to expand to the commonly > expected behavior Well, I don't

[Wireshark-dev] ip.addr != 10.0.0.1

Hi. We often get questions why the filter "ip.addr != 10.0.0.1" does not work as expected. Is it a good idea to make some sort of special handling for filters like "ip.addr", "tcp.port" and "udp.port" to expand to the commonly expected behavior? -- Stig Bjørlykke __