Hi, In this discussion you miss the tunneled protocols, or messages like ICMP
Thanx, Jaap Stig Bjørlykke wrote: > 2008/1/29, Sake Blok <[EMAIL PROTECTED]>: >> I would vote for a preference value that defaults to make >> ip != 10.0.0.1 result in !(ip.addr==10.0.0.1). > > For most of the fields in Wireshark we need the "x!=y" and "!(x==y)" > operators as they are, exactly because they have different behavior. > I do not want to change this. > > The problem, as I see it, is the combined fields which matches two > different fields, like ip.addr, tcp.port, udp.port and probably some > others, where the user has other expectations how they work. So I > think we shall focus on them and not the operators. > > When I think of ip.addr I'm thinking "they", as in ip.src and ip.dst. > When I write ip.addr != 10.0.0.1 I'm thinking "they shall not be > 10.0.0.1", as in none of them. This is because the field matches two > different fields I want to filter out. The same goes with LT and GT. > > Our combined fields should be marked as combined (in the source), and > only this fields should be handled differently, or simply just give a > warning to the user why they will not work as expected. > > But does it make the functionality difficult to understand or describe > correctly? > > _______________________________________________ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
