I use the filter ip.addr != 10.0.0.0/8 && !(ip.addr == 224.0.0.0/3) to identify any traffic between our network and the outside (and also exclude class-D address space). This filter no longer works.
It does work if I write it as ip && (!(ip.src == 10.0.0.0/8) || !(ip.dst == 10.0.0.0/8)) && !(ip.addr == 224.0.0.0/3) but I need to add ip and explicitly consider both the source and destination.
ip.addr is a multi-value field and is equivalent to ip.src || ip.dst
Prior to version 3.6, ip.addr != 10.0.0.0/8 would be interpreted as (ip.src != 10.0.0.0/8 || ip.dst != 10.0.0.0/8).
Version 3.6 renamed the != to ~= and changed the meaning of != to now mean !(field == value). This means that ip.addr != 10.0.0.0/8
now becomes !(ip.addr == 10.0.0.0/8).
This change effectively changes the logic from an OR to AND: !(ip.src == 10.0.0.0/8) && !(ip.dst == 10.0.0.0/8) [boolean logic: !(A+B) = !A*!B ]
Use ~= instead of != for version 3.6 or newer.
Effective for version 4.0.0:
The operator "~=" is deprecated and will be removed in a future version. Use "!==", which has the same meaning instead.
So, use: