 | 1 | initial version |
IP packets have two addresses - a source address and a destination address - and so have two ip.addr fields, one with the value of the source address and one with the value of the destination address.
"ip.addr == 192.0.2.1" means "match all packets that contain at least one instance of the ip.addr field with the value 192.0.2.1", so it will match packets from 192.0.2.1 and packets to 192.0.2.1.
"!(ip.addr == 192.0.2.1)" means "don't match any packets that contain at least one instance of the ip.addr field with the value 192.0.2.1", so it will not match packets from 192.0.2.1 or packets to 192.0.2.1.
"ip.addr != 192.0.2.1" means "match all packets that contain at least one instance of the ip.addr field with a value other than 192.0.2.1", so it will match packets from 192.0.2.1 that aren't going to 192.0.2.1, as the destination address will not be equal to 192.0.2.1, and will match packets to 192.0.2.1 that aren't from 192.0.2.1, as the source address will not be equal to 192.0.2.1.
Do NOT think of "{field} = {value}" as meaning "match only packets where the field {field} has the value {value}", and do NOT think of "{field} != {value}" as meaning "match only packets where the field {field} doesn't have the value {value}", because there is no guarantee that there is any such thing as "the field {field}". There can be multiple instances of a field in a packet; "{field} = {value}" means "match packets where there exists an instance of the field {field} that has the value {value}", and "{field} != {value}" means "match packets where there exists an instance of the field {field} that does not have the value {value}" (and the same applies to other comparison operators. The opposite for "there exists an X such that property Y applies to X" is not "there exists an X such that property Y does not apply to X", it's "for all X, property Y does not apply to X".
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
