This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

filter expression (eth.ig == 0) appears to always be true

0

Trying to get better at filtering in wireshark and understand the subtleties. Looking at ways to filter based on Ethernet address (MAC). First thing is separating bcast/mcast from normal addresses.

I used the IG bit line under Destination under Ethernet and did Apply As Filter -> Selected. This produces eth.ig == 1 (which appears to work). Choosing Not Selected produces !(eth.ig == 1), which also works.

My first thought (before playing with Not Selected, etc.) was to use eth.ig == 0 to screen out bcast/mcast. It appears to always evaluate to true.

Why is !(eth.ig == 1) not equivalent to eth.ig == 0?

Thanks.

asked 02 Apr '14, 12:20

artswri's gravatar image

artswri
1112
accept rate: 0%


One Answer:

3

That's probably because you always have two ethernet addresses in a frame, one for the source, one for the destination.

"!(eth.ig=1)" says "none of the two MACs may have a 1", which means both must be zero.

"eth.ig=0" says "one of the MACs must have a 0", which is only false when both have a one.

answered 02 Apr '14, 12:25

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 02 Apr '14, 12:26

Thanks, it's now obvious to me what's going on! So what I really wanted was eth.dst.ig == 0 (which is not a legal expression AFAICT - the wireshark I'm using does not like it). But I can live with the alternative ways to express...

(02 Apr '14, 12:31) artswri

Yes, it looks like Wireshark does not allow to specify the MAC for which you want the value to be checked. You could enter an enhancement request at http://bugs.wireshark.org if you like :-)

(02 Apr '14, 12:36) Jasper ♦♦