Wireshark-users: Re: [Wireshark-users] how to drop 400 unwanted packets to analyze with wireshark
Mitsuho Iizuka wrote:
It seems they are equivalent according to the welknown mathematics
formula ?
!(A U B) = (!A && !B).
Predicate calculus (first-order logic), with the "for all" and "there
exist" constructs, is a better model than just propositional calculus.
There can, in a packet, be *more than one instance* of a field.
"{field} {op} {value}" means
there exists an instance of the field {field} whose value "v" is such
that v {op} {value}
so "tcp.port != 1035" means
there exists an instance of "tcp.port" whose value is not equal to 1035.
Thus, "tcp.port != 1035 && tcp.port != 1036" means
(there exists an instance of "tcp.port" whose value is not equal to
1035) and (there exists an instance of "tcp.port" whose value is not
equal to 1036)
with *NO* guarantee that the two instances of "tcp.port" are the same.
!(tcp.port == 1035 || tcp.port == 1036)" means
it is not true that (there exists an instance of "tcp.port" whose value
is equal to 1035 or there exists an instance of "tcp.port" whose value
is equal to 1036)
The law you cite means that's equivalent to
(it is not true that there exists an instance of "tcp.port" whose value
is equal to 1035) and (it is not true that there exists an instance of
"tcp.port" whose value is equal to 1036)
which is equivalent to
(for all instances of "tcp.port", the value is not equal to 1035) and
(for all instances of "tcp.port", the value is not equal to 1036)
which is not equivalent to
(there exists an instance of "tcp.port" whose value is not equal to
1035) and (there exists an instance of "tcp.port" whose value is not
equal to 1036)
In particular, a packet with a source port of 1035 and a destination
port of 1036 is matched by
(there exists an instance of "tcp.port" whose value is not equal to
1035) and (there exists an instance of "tcp.port" whose value is not
equal to 1036)
as the second instance of "tcp.port" has a value of 1036, which is not
1035, and the first instance of "tcp.port" has a value of 1035, which is
not 1036. That packet is, however, not matched by
(for all instances of "tcp.port", the value is not equal to 1035) and
(for all instances of "tcp.port", the value is not equal to 1036)
because the packet has one instance of "tcp.port" equal to 1035 and one
instance of "tcp.port" equal to 1036.
It was long before. Anyway I have a simple packet dump now.
I looked at above Gotchas. But Gotchas paragraph seems to describe
a different context.
Different in what fields it discusses (IP source and destination
addresses, and the synthetic "ip.addr" field which is added for both of
them, rather than TCP source and destination ports, and the synthetic
"tcp.port" field which is added for both of them), but it's the same
underlying problem ("X != Y" is *NOT* equivalent to "!(X == Y)" - the
first is "there exists an X that is not equal to Y", the latter is "it
is not the case that (there exists an X that is equal to Y)", which is
"for all X, X is not equal to Y").