The reason for this, is that the expression ip.addr != 1.2.3.4 must be read as “the packet contains a field named ip.addr with a value different from 1.2.3.4”. Instead, that expression will even be true for packets where either source or destination IP address equals 1.2.3.4. Unfortunately, this does not do the expected. Then they use ip.addr != 1.2.3.4 to see all packets not containing the IP address 1.2.3.4 in it. Often people use a filter string to display something like ip.addr = 1.2.3.4 which will display all packets containing the IP address 1.2.3.4. Using the != operator on combined expressions like eth.addr, ip.addr, tcp.port, and udp.port will probably not work as expected. Which filters packets where either the source OR the destination is not C, and that's every packet, so it shows every packet. Which filters packets where source or destination match, and then hides them (correctly). In Boolean Logic, A not equals B and not A equals B are the same test.īut, the relevant part of the WireShark documentation linked by Jürgen Thelen explains that in WireShark, ip.addr covers both the source and destination field, so the test is more like: not ((A or B) equals C)
0 Comments
Leave a Reply. |