Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

asked 2022-11-10 10:50:12 +0000

dherrero gravatar image

!ip.addr vs ip.addr !=

Reviewing the following links:

  • https://ask.wireshark.org/question/1751/difference-between-ipaddr-192021-and-ipaddr-192021/
  • https://wiki.wireshark.org/DisplayFilters.md#gotchas

They explain why

ip.addr != 10.43.54.65 is different from !ip.addr == 10.43.54.65

They say that

ip.addr != 10.43.54.65

is equivalent to

ip.src != 10.43.54.65 or ip.dst != 10.43.54.65

The problem is that doing test in latest wireshark version 4.0.0 this do not seem to be true. If you use the display filter

ip.addr != 192.168.1.72

image description

it does hide paquets with ip.src or ip.dst equals to 192.168.1.72, same happens with the filter

!ip.addr == 192.168.1.72

image description

But if you use the filter

ip.src != 192.168.1.72 or ip.addr != 192.168.1.72

I can se packets with ip.src or ip.dst equals to 192.168.1.72, it only filter packets with ip.src AND ip.dst equals to 192.168.1.72

image description

This is not the intended behaviour attending to wireshark wiki. What is wrong with this display filters?

Regards

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2