THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

display filter != no longer works

  • retag add tags

I use the filter "ip.addr != 10.0.0.0/8 && !(ip.addr == 224.0.0.0/3)" to identify any traffic between our network and the outside (and also exclude class-D address space). This filter no longer works. It does work if I write it as "ip && (!(ip.src == 10.0.0.0/8) || !(ip.dst == 10.0.0.0/8)) && !(ip.addr == 224.0.0.0/3)" but I need to add IP and explicitly consider both the source and destination.

$ ./wireshark -v Wireshark 3.6.2 (v3.6.2-0-g626020d9b3c3)

Copyright 1998-2022 Gerald Combs [email protected] and contributors. License GPLv2+: GNU GPL version 2 or later https://www.gnu.org/licenses/gpl-2.0.html This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) using Microsoft Visual Studio 2019 (VC++ 14.29, build 30139), with Qt 5.15.2, with libpcap, with GLib 2.66.4, with zlib 1.2.11, with Lua 5.2.4, with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.8.3, with MIT Kerberos, with MaxMind DB resolver, with nghttp2 1.44.0, with brotli, with LZ4, with Zstandard, with Snappy, with libxml2 2.9.10, with libsmi 0.4.8, with QtMultimedia, with automatic updates using WinSparkle 0.5.7, with AirPcap, with SpeexDSP (using bundled resampler), with Minizip.

Running on 64-bit Windows 10 (21H1), build 19043, with Intel(R) Core(TM) i7-7700 CPU @ 3.60GHz (with SSE4.2), with 16275 MB of physical memory, with GLib 2.66.4, with Qt 5.15.2, with Npcap version 1.55, based on libpcap version 1.10.2-PRE-GIT, with c-ares 1.17.0, with GnuTLS 3.6.3, with Gcrypt 1.8.3, with nghttp2 1.44.0, with brotli 1.0.9, with LZ4 1.9.3, with Zstandard 1.4.0, without AirPcap, with LC_TYPE=English_United States.utf8, binary plugins supported (0 loaded).

I just upgraded from 3.4.12 and it worked there.

melds's avatar
1
melds
asked 2022-03-07 22:05:10 +0000
grahamb's avatar
23.8k
grahamb
updated 2022-03-08 08:35:00 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Please add the output of wireshark -v or Help->About Wireshark:Wireshark to the question.
Do you know the previous version where it worked?

Chuckc's avatar Chuckc (2022-03-08 00:06:26 +0000) edit
more
  • delete
add a comment see more comments

2 Answers

0

Try ip.addr ~= 10.0.0.0/8 && !(ip.addr == 224.0.0.0/3)

It would be easy to miss in the upgrade from 3.4.12 -> 3.6.2: Wireshark 3.6.0 Release Notes

Several changes have been made to the display filter syntax:

The expression “a != b” now always has the same meaning as “!(a == b)”. In particular this means filter expressions with multi-value fields like “ip.addr != 1.1.1.1” will work as expected (the result is the same as typing “ip.src != 1.1.1.1 and ip.dst != 1.1.1.1”). This avoids the contradiction (a == b and a != b) being true.

It is possible to use the syntax “a ~= b” or “a any_ne b” to recover the previous (inconsistent with "==") logic for not equal.
Chuckc's avatar
3k
Chuckc
answered 2022-03-08 01:51:45 +0000
edit flag offensive 0 remove flag delete link
more

Comments

1

Next release will deprecate ~=: dfilter: Deprecate "~=" (any_ne)

Chuckc's avatar Chuckc (2022-03-09 16:05:28 +0000) edit
more
  • delete
add a comment see more comments
0

Refer to the Wireshark 3.6.0 Released for more information.

The expression “a != b” now always has the same meaning as “!(a == b)”. In particular this means filter expressions with multi-value fields like “ip.addr != 1.1.1.1” will work as expected (the result is the same as typing “ip.src != 1.1.1.1 and ip.dst != 1.1.1.1”). This avoids the contradiction (a == b and a != b) being true.

It is possible to use the syntax “a ~= b” or “a any_ne b” to recover the previous (inconsistent with "==") logic for not equal.

7ACE's avatar
40
7ACE
answered 2022-03-08 01:21:39 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thank you. That's weird that they would change that since it's worked this way since Ethereal. I think of ~= as a regular expression. I'd love to see this reverted back to the way it was since we have trained our staff and created documentation using the old method (with it being an OR).

melds's avatar melds (2022-03-08 01:41:08 +0000) edit
more
  • delete

This is where it's headed in the next major (either 3.8 or 4.0) release: 6.4.2. Comparing Values

Chuckc's avatar Chuckc (2022-03-08 01:55:00 +0000) edit
more
  • delete

Thanks . By the way , xor , Does it work?

7ACE's avatar 7ACE (2022-03-08 02:03:01 +0000) edit
more
  • delete

I don't see "xor" in the syntax scanner: dfilter/scanner.l or dfilter/dfilter.c

Chuckc's avatar Chuckc (2022-03-08 02:18:30 +0000) edit
more
  • delete

Interesting. So in the future it would be !==, which feels better.

melds's avatar melds (2022-03-08 02:24:47 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer