It appears that we have to press the ENTER key twice after choosing an entry from the dropdown list in order to have it applied. Following your steps, after we start typing and then click on one of the entries from the drop down list, the [X] control is added to the text entry field and the [->] control color changes to indicate it can be clicked. The fact that the [->] control is now clickable implies that currently entered display filter has NOT been applied. Pressing ENTER once in my test causes the status bar to update, but it does not actually apply the display filter. Pressing ENTER a second time causes the filter to be applied and the [->] control changes color to indicate is no longer selectable.
RTFM (reading the fine manual, version 4.3.0) I so far only see a reference in section 6.3 which states "Don’t forget to press enter or click on the apply display filter button after entering the filter expression."
Anyone have a manual reference that says "ENTER twice"?
But there is a difference between entering the filter expression, as in typing it, and selecting it from the drop-down list. If you're entering the display filter, then you only need to press ENTER once, but if you're selecting the display filter from the list, then you'll need to press ENTER twice, once to choose it and once to apply it.
With version 4.0.8 on my machine I am choosing from the list and hitting ENTER once. I click into the filter area, type the letter 'i', the list appears, I choose the one I want, hit ENTER once and that filter is active. Is there a man page describing the method you are describing?
I choose the one I want
How exactly are you choosing the one you want? You can choose it with your mouse or you can use your arrow keys to arrow down to the filter you want and press ENTER to choose the filter.
I have retried both ways and indeed I now do see the difference in behavior between 4.08 and 4.2.0 if you use the mouse method to select the display filter. I hadn't noticed any difference in behavior previously because I was using the keyboard arrow keys method to select it. So yes, there is a difference in behavior, but I have no idea why this is so or if it's intentional or not. I suspect it's unintentional though and therefore a bug should probably be filed for it so the prior behavior is restored.
For reference to anyone else experiencing this problem and finding this question, the issue filed was Issue 19507 - Display filter activation change in Wireshark 4.2.0?
How about using ip.addr == 192.168.1.72 as a filter? That is what I use for a good number of years.
I don't think this really answers the question. While the ip.addr == 192.168.1.72 filter is essentially equivalent to ip.src==192.168.1.72 || ip.dst==192.168.1.72, the fact remains that ip.src==192.168.1.72 || ip.dst==192.168.1.72 should still work, so if it doesn't, then something is wrong.
Functionally, the 2 filters should behave the same. If they don't, a Wireshark bug report should be filed so that someone can verify the incorrect behavior and hopefully correct it and include that fix in the next Wireshark release.
Asked: 2023-11-27 15:53:22 +0000
Seen: 350 times
Last updated: Nov 29 '23
Version 4.2.0 (v4.2.0-0-g54eedfc63953)
filter:
ip.src==192.168.1.72 || ip.dst==192.168.1.72when I start typing the filter "ip=...." a dropdown list of previously entered / bookmarked filters appears.
when I choose the one we were discussing, nothing changes. all packets are still displayed - no filtering.
however, I discovered that if I edit that bookmarked filter by erasing the any characters (say, an OR bar, or the last '2') and re-enter it, the filter then works as it should. the same if I type in the complete filter anew.
my suspicion is that the bookmarked filters from previous WS versions installed are somehow incompatible with this new version.