On Mon, 28 Jan 2008 05:01:01 -0700, <[EMAIL PROTECTED]> wrote: ip.addr == 1.2.3.4 means "show me only packets where the address 1.2.3.4 appears in *some* IP header" ip.addr != 1.2.3.4 means "show me only packets where the address in some IP header is not 1.2.3.4"
> Is there any known case where <field> != <value> is useful in it's > current behaviour when <field> occurs multiple times in the packet? The != case is generally == TRUE. > Why not make a preference on the behaviour of the "!=" operator in > a display filter. We could make it default to "show me all packets > that do not contain *any* field <field> with value <value>". So, ip.addr means "any ip.addr". How about using !ip.addr to mean no ip.addr? So !ip.addr == 1.2.3.4 means "no ip address matches 1.2.3.4" So, I wondered what that would do if I tried it. Holy smokes. It works. We already have a way to say it. I do not think we need to change anything. Maybe the expression builder could have !ip.addr and the corresponding !whaterers in the menu. We discussed the embedded packet case some time ago. Did't we decide on subscripts or something to deal with that? I have no way to gen such packets here right now. --john -- John McDermott, CPLP, CCP Learning and Performance Consultant jjm at jkintl.com www.jkintl.com V: +1 575/377-6293 Please call for fax access. _______________________________________________ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
