Wireshark-users: Re: [Wireshark-users] What is wrong with this filter?
From: Stephen Fisher <steve@xxxxxxxxxxxxxxxxxx>
Date: Wed, 25 Mar 2009 13:02:06 -0600
On Wed, Mar 25, 2009 at 02:42:11PM -0400, Parkis, Scott wrote:

> p.addr==192.168.2.34 and (ip.addr!=10.1.10.150 and 
> ip.addr!=10.1.11.140)
> 
> I want to show all packets src and/or dest from 2.34 but I do not want 
> any packets to/from 10.150 and 11.140. I tried it with and without the 
> () but it still shows me results with those two 10.1.x.x.

If you have a newer version of Wireshark, the filter box will turn 
yellow and say "!= may have unexpected results (see the User's Guide)" 
in the bottom staus bar.  See section 6.4.4 in the User's Guide for an 
explanation of why this isn't working: 
http://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.html#ChWorkBuildDisplayFilterMistake

You'll want to do something like !(ip.addr == x.x.x.x) as the user's 
guide states.


Steve