I have a large capture with thousands of PINGS. I know at one time i saw Request timed out on the node i was monitoring, indicating it never received a reply for those PINGS. Can i use a Wireshark filter to find the Requests that never received a Reply? asked 11 Dec '12, 13:20  philliplew |
One Answer:
You can try using "not icmp.resp_in and icmp.type==8" which will give you all icmp requests where wireshark doesn't have the according response inside the capture file answered 11 Dec '12, 13:26  Landi |
This worked great thank you. My only issue was i was Port Mirroring on my Switch 2 ports (source server and gateway) so i had two instances of each packet, 1 from each Switch port.
This meant Wireshark found 1 instance of every packet without a matching reply.
Luckily there were few enough packets after applying the above filter that i could manually go down the list and find the occurrences where there were 2.
Thanks again.
(based on sequence number BE)
You could use editcap -d to remove duplicate packets before analyzing them. editcap is a command line tool that can be found in the wireshark installation directory.
Thank you very much¡ I was searching in a 201998 packets file and found out 313 w/o answer¡ All of this in 5 minutes thank you¡¡