 | 1 | initial version |
Wireshark filter field turns into yellow with tangle mark.
Wireshark is warning you that the filter may not work as you intended. This is due to an apparent ambiguity with respect to logical operator precedence between and and or, which unfortunately isn't well documented on the wireshark-filter man page.
In the old days, logical or took precedence over logical and, but that was changed beginning with the Wireshark 3.7.0 development release, soon to become Wireshark 4.0. In any case, it's probably best to use parentheses to avoid any such ambiguities (and to avoid the yellow display filter warning).
So, if you want a filter that matches either DNS or LDAP traffic, but only when both the IP source and destination addresses are 10.0.20.62, then you should be able to use a filter such as this:
(dns or ldap) and (ip.src==10.0.20.62 and ip.dst==10.0.20.62)
For the second set of filters you provided, they can be combined as follows:
(dns or ldap) and (ip.src==10.0.20.62)