Questions about WS Display filters - Documentation unclear

asked 2024-04-04 05:29:47 +0000

ENorton
1 ●1

In the current version of WS and documentation there's an example of a display filter

ip.addr == 10.43.54.65 equivalent to ip.src == 10.43.54.65 or ip.dst == 10.43.54.65
I'm good with that.

But if you filter out the IP address one could use ip.addr != 10.43.54.65 But from the docs, it looks like in previous versions of WS it wasn't working properly and the docs say to use ! ( ip.addr == 10.43.54.65 ) which would be equivalent to ip.src != 10.43.54.65 or ip.dst != 10.43.54.65

It's not clear, but has this issue been fixed? And ip.addr != 10.43.54.65 is now working as expected? And it would filter out source 10.43.54.65 OR destination 10.43.54.65 displaying ALL IP except 10.43.54.65?

Can you give 1 or two syntax examples for === ?

Thank you

answered 2024-04-04 19:46:00 +0000

Jaap

13742 ●711 ●115

Yes, this display filter behaviour has been enhanced to act more intuitively. So an expression as ip.addr != 10.43.54.65 does indeed now means that all contributing fields (ip.src and ip.dst) have to be unequal to the value for the expression to be true. The operator alias all_ne (all not equal) of != makes it even more clear.

To filter packets that come and go to the loopback address, the display filter expression ip.addr === 127.0.0.1 would match those packets. The operator alias all_eq (all equal) of === makes this even more clear.

Another example would be udp.port === 123 which matches NTP server to server packets.

edit flag offensive delete link

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Questions about WS Display filters - Documentation unclear

1 Answer

Your Answer

Question Tools

Stats

Related questions

Questions about WS Display filters - Documentation unclear edit

1 Answer

Your Answer

Question Tools

Stats

Related questions

Questions about WS Display filters - Documentation unclear