210-255 · Question #195
Which command filters a port?
The correct answer is D. !tcp.port==25. In Wireshark display filters, !tcp.port==25 is the correct way to fully exclude all packets involving port 25, because the ! negation operator works correctly on multi-occurrence fields.
Question
Which command filters a port?
Options
- Atcp.port equals 25
- Btcp.port is 25
- Ctcp.port != 25
- D!tcp.port==25
How the community answered
(62 responses)- A2% (1)
- B6% (4)
- C3% (2)
- D89% (55)
Why each option
In Wireshark display filters, `!tcp.port==25` is the correct way to fully exclude all packets involving port 25, because the `!` negation operator works correctly on multi-occurrence fields.
`tcp.port equals 25` is valid Wireshark syntax but it displays (includes) port 25 traffic rather than filtering it out.
`tcp.port is 25` uses the keyword `is`, which is not valid Wireshark display filter syntax - the correct operators are `==` or `equals`.
`tcp.port != 25` can behave unexpectedly on multi-occurrence fields - a packet with source port 25 and destination port 80 would still match because the destination port occurrence satisfies `!= 25`, potentially showing packets that should be excluded.
The expression `!tcp.port==25` applies logical NOT to the entire match, excluding any packet where any occurrence of the tcp.port field equals 25. This is important because `tcp.port` is a multi-occurrence field (covering both source and destination); using `!` negation ensures true exclusion of port 25 traffic. Wireshark's documentation specifically warns that `!=` on multi-occurrence fields can yield unexpected results, making `!field==value` the preferred form.
Concept tested: Wireshark display filter negation on multi-occurrence fields
Source: https://wiki.wireshark.org/DisplayFilters
Topics
Community Discussion
No community discussion yet for this question.