Wireshark-users: Re: [Wireshark-users] how to drop 400 unwanted packets to analyze with wireshark
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 29 Jun 2007 10:35:00 -0700
Mitsuho Iizuka wrote:

It seems they are equivalent according to the welknown mathematics
formula ?

    !(A U B) = (!A && !B).

Predicate calculus (first-order logic), with the "for all" and "there exist" constructs, is a better model than just propositional calculus. There can, in a packet, be *more than one instance* of a field.

"{field} {op} {value}" means

there exists an instance of the field {field} whose value "v" is such that v {op} {value}

so "tcp.port != 1035" means

	there exists an instance of "tcp.port" whose value is not equal to 1035.

Thus, "tcp.port != 1035 && tcp.port != 1036" means

(there exists an instance of "tcp.port" whose value is not equal to 1035) and (there exists an instance of "tcp.port" whose value is not equal to 1036)

with *NO* guarantee that the two instances of "tcp.port" are the same.

!(tcp.port == 1035 || tcp.port == 1036)" means

it is not true that (there exists an instance of "tcp.port" whose value is equal to 1035 or there exists an instance of "tcp.port" whose value is equal to 1036)

The law you cite means that's equivalent to

(it is not true that there exists an instance of "tcp.port" whose value is equal to 1035) and (it is not true that there exists an instance of "tcp.port" whose value is equal to 1036)

which is equivalent to

(for all instances of "tcp.port", the value is not equal to 1035) and (for all instances of "tcp.port", the value is not equal to 1036)

which is not equivalent to

(there exists an instance of "tcp.port" whose value is not equal to 1035) and (there exists an instance of "tcp.port" whose value is not equal to 1036)

In particular, a packet with a source port of 1035 and a destination port of 1036 is matched by

(there exists an instance of "tcp.port" whose value is not equal to 1035) and (there exists an instance of "tcp.port" whose value is not equal to 1036)

as the second instance of "tcp.port" has a value of 1036, which is not 1035, and the first instance of "tcp.port" has a value of 1035, which is not 1036. That packet is, however, not matched by

(for all instances of "tcp.port", the value is not equal to 1035) and (for all instances of "tcp.port", the value is not equal to 1036)

because the packet has one instance of "tcp.port" equal to 1035 and one instance of "tcp.port" equal to 1036.

It was long before. Anyway I have a simple packet dump now.

I looked at above Gotchas. But Gotchas paragraph seems to describe
a different context.

Different in what fields it discusses (IP source and destination addresses, and the synthetic "ip.addr" field which is added for both of them, rather than TCP source and destination ports, and the synthetic "tcp.port" field which is added for both of them), but it's the same underlying problem ("X != Y" is *NOT* equivalent to "!(X == Y)" - the first is "there exists an X that is not equal to Y", the latter is "it is not the case that (there exists an X that is equal to Y)", which is "for all X, X is not equal to Y").