Ask Your Question

!ip.addr vs ip.addr !=

asked 2022-11-10 10:50:12 +0000

dherrero gravatar image

Reviewing the following links:

They explain why

ip.addr != is different from !ip.addr ==

They say that

ip.addr !=

is equivalent to

ip.src != or ip.dst !=

The problem is that doing test in latest wireshark version 4.0.0 this do not seem to be true. If you use the display filter

ip.addr !=

image description

it does hide paquets with ip.src or ip.dst equals to, same happens with the filter

!ip.addr ==

image description

But if you use the filter

ip.src != or ip.addr !=

I can se packets with ip.src or ip.dst equals to, it only filter packets with ip.src AND ip.dst equals to

image description

This is not the intended behaviour attending to wireshark wiki. What is wrong with this display filters?


edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2022-11-10 16:07:15 +0000

Jaap gravatar image

If you've been following the news you might have picked up that the display filter engine has undergone some rigorous rework in the latest Wireshark release. One of the more obvious changes is the change in interpretation of the != operator. Where it used to be interpreted as "any not equal", it is now interpreted as "all not equal".

edit flag offensive delete link more


yes, you are right! So in the wiki ( they should change the operator != for !== .

dherrero gravatar imagedherrero ( 2022-11-10 16:19:54 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2022-11-10 10:50:12 +0000

Seen: 316 times

Last updated: Nov 10 '22