On Sun, Jan 27, 2008 at 09:23:40PM +0100, Jaap Keuter wrote:
> Stig Bj??rlykke wrote:
> >
> > We often get questions why the filter "ip.addr != 10.0.0.1" does not
> > work as expected.
> >
> > Is it a good idea to make some sort of special handling for filters
> > like "ip.addr", "tcp.port" and "udp.port" to expand to the commonly
> > expected behavior?
>
> I'm very much opposed to it. Boolean logic can be a somewhat tricky, but
> when you master the math it becomes a powerful tool. Wireshark is a
> powetool. Therefor we have to educate the users, by teaching them how to
> use it. The Wiki is a good place, and can always be improved upon, so it
> can be the primary reference to the subject.
Although I totally agree that we should not mess with a logical
consistent world and the complexity of the many ways in which a
field can exist multiple times in one packet, I would like to look
at this issue from another perspective.
Is there any known case where <field> != <value> is useful in it's
current behaviour when <field> occurs multiple times in the packet?
Maybe there are some, but I think that would be only used in very
specific cases where the user is already very knowledgeable.
Why not make a preference on the behaviour of the "!=" operator in
a display filter. We could make it default to "show me all packets
that do not contain *any* field <field> with value <value>". When someone
really needs the old behaviour the meaning of "!=" can be reset to
"show me all packets where *all* fields <field> do not have
value <value>"
It does make the use of "!=" more intuitive, which of course is another
kind of logic ;-)
Just my EUR 0,02 :-)
Cheers,
Sake
