Wireshark · Wireshark-dev: Re: [Wireshark-dev] ip.addr != 10.0.0.1

[Ulf Lamping <ulf.lamping@xxxxxx>]

Guy Harris schrieb:
> Ulf Lamping wrote:
>   
> > As I've written in my other mail, I would expect a dialog box in this 
> > case, saying something like "ip.addr != 10.0.0.1 is very certainly not 
> > what you want! Should I filter !(ip.addr == 10.0.0.1) instead, which 
> > results in ...".
> >     
> That applies to *any* field when you do a "!=" comparison; it's not 
> unique to ip.addr (that's probably the most common example, but tcp.port 
> and udp.port are probably also somewhat common places where this 
> surprises users).  If we're to pop up a warning, I'd pop it up for any 
> use of "!=", and offer a "don't show this dialog any more" checkbox so 
> that the user can say "OK, I understand now" and not be bothered in the 
> future
As far as I understand the problem, this applies to any what I would 
call "combined fields" like ip.addr being a combination of source and 
(or) destination address. Of course this problem also applies to 
eth.addr, tcp.port and udp.port, and yes, these are the most common 
examples - and help the users with these cases would already be a good 
step forward.

I personally know at least 10 persons who had actual problems with this!!!

"simple filter fields" like eth.type != 0x800 works just as expected - 
making the problem even more confusing if you don't know what's going on ;-)

Regards, ULFL