!ip.addr vs ip.addr !=

Reviewing the following links:

They explain why

ip.addr != 10.43.54.65 is different from !ip.addr == 10.43.54.65

They say that

ip.addr != 10.43.54.65

is equivalent to

ip.src != 10.43.54.65 or ip.dst != 10.43.54.65

The problem is that doing test in latest wireshark version 4.0.0 this do not seem to be true. If you use the display filter

ip.addr != 192.168.1.72

image description

it does hide paquets with ip.src or ip.dst equals to 192.168.1.72, same happens with the filter

!ip.addr == 192.168.1.72

image description

But if you use the filter

ip.src != 192.168.1.72 or ip.addr != 192.168.1.72

I can se packets with ip.src or ip.dst equals to 192.168.1.72, it only filter packets with ip.src AND ip.dst equals to 192.168.1.72

image description

This is not the intended behaviour attending to wireshark wiki. What is wrong with this display filters?

Regards

dherrero

asked 2022-11-10 10:50:12 +0000

edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

Comments

yes, you are right! So in the wiki (https://wiki.wireshark.org/DisplayFil...) they should change the operator != for !== .

dherrero (2022-11-10 16:19:54 +0000) edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

!ip.addr vs ip.addr != edit

Comments

1 Answer

Comments