I want to see results where neither the destination, nor the source are the specified address; here is my filter. ip.src != 192.168.1.119 && ip.dst != 192.168.1.119 To my surprise, it returns some results with the that IP, such as this one: 157 238.065591 192.168.1.1 192.168.1.119 ICMP Destination unreachable (Port unreachable) The destination on this result is clearly one the filter should have blocked. What's up? asked 23 Nov '10, 16:50  ActualRandy |
2 Answers:
Use Laura answered 23 Nov '10, 17:06  lchappell ♦ |
The problem with a logical filter like The maining of In your case, the ICMP message contains to IP layers. Wheneven a system sends out an ICMP port unreachable message, it includes the IP header of the original packet that could not be delivered. That packet most probably had the ip.src and ip.dst reversed from the ip.src and ip.dst of the icmp message. So there now is a field ip.src that does not match 192.168.1.119 and also a field ip.dst that does not match 192.168.1.119. When you use As Laura said, be careful with these filters, when a filter turns yellow, Wireshark tells you to pay attention. And the Wiki and the User's guide are always great places to explore. answered 23 Nov '10, 23:49  SYN-bit ♦♦ |
Hi Laura -
You are correct, your filter does work, and I still don't understand why my filter doesn't work - I suspect it is a bug. But, of course, that wouldn't be your responsibility!
Filtering OUT based on IP address plagues everyone (see section 6.4.4 of the Wireshark User Manual). The developers even put in a sample display filter on that one with a note not to use != and made the yellow background. They tried to do everything short of flying/driving to your office/home, walking up to your desk and slapping you on the wrist. Grin.