On Fri, Jun 29, 2007 at 03:38:49PM +0900, Mitsuho Iizuka wrote: > > > Secondly, you need to change your filter string. The filter > > "tcp.port != 1035 && tcp.port != 1036" means "look for a packet > > where EITHER tcp.port does not equal 1035 AND EITHER tcp.port does > > not equal 1036". The correct filter would be: > > "!( tcp.port == 1035 || tcp.port == 1036 )" which means "look for > > a packet that does not match EITHER tcp.port equals 1035 nor EITHER > > tcp.port equals 1036. > > > > Have a look at "http://wiki.wireshark.org/DisplayFilters"; (especially > > the paragraph "Gotchas"). > > It seems they are equivalent according to the welknown mathematics > formula ? > > !(A U B) = (!A && !B). > > It was long before. Anyway I have a simple packet dump now. > > I looked at above Gotchas. But Gotchas paragraph seems to describe > a different context.
Yes, the example uses a different field (ip.addr), but the context is the same. Since there are two tcp ports in a packet, the filter tcp.port!=x is actually replaced by "(tcp.srcport!=x or tcp.dstport!=x)". This breaks the logic !(A U B) = (!A && !B): (tcp.port!=A && tcp.port!=B) = ((tcp.srcport!=A U tcp.dstport!=A) && (tcp.srcport!=B U tcp.dstport!=B)) = (!(!tcp.srcport!=A && !tcp.dstport!=A) && !(!tcp.srcport!=A && !tcp.dstport!=A) ) = (!(tcp.srcport==A && tcp.dstport==A) && !(tcp.srcport==B && tcp.dstport==B)) = !(tcp.srcport==A && tcp.dstport==A && tcp.srcport==B && tcp.dstport==B) = !((tcp.srcport==A && tcp.srcport==B) && (tcp.dstport==A && tcp.dstport==B)) = !(FALSE && FALSE) = !FALSE = TRUE So actually your filter would match all the packets in the trace ;-) It can be a bit confusing indeed :) Cheers, Sake _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
