Ask Your Question
0

Filters and ICMP

asked 2023-05-26 13:16:06 +0000

Max Helbig gravatar image

Hello,

let's say i captured two packets

  • From 192.168.1.50 to 192.168.1.1 (empty udp from nmap)
  • From 192.168.1.1 to 192.168.1.50 (ICMP - Port unreachable)

I use the filter: ip.src == 192.168.1.50

Both packets are still visible

I know that my first IP-Packet is send back inside the ICMP Reply, and it looks like wireshark also reads the header from the packet inside the ICMP.

can i somehow define a filter or set an option anyware so that the filter only reads the address from the not nested ip Packet?

Using the Filter ip.scr == 192.168.1.50 && !icmp works in this case but is not a nice solution

Thanks in advance

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2023-05-26 15:18:00 +0000

cmaynard gravatar image

If your version of Wireshark is version 4.0.0 or newer, then you can use the layer operator to restrict filtering to match only the first layer, like so:

ip.src#1 eq 192.168.1.50

The layer operator is described in the wireshark-filter man page.

edit flag offensive delete link more

Comments

works perfectly

Max Helbig gravatar imageMax Helbig ( 2023-05-30 05:18:48 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2023-05-26 13:16:06 +0000

Seen: 3,673 times

Last updated: May 26 '23

Related questions

Why redirection of VoIP calls to voicemail fails?

ICMPv6 checksum error for EUI-64 addresses

Port Unreachable

ICMP redirects with bad chksum

display ARP and ICMP only

how do i elicit an ICMP echo reply

ARP Delay when pinging a local machine

Why do captured icmp packets show less bytes of data than ping sends

When I look at a time-to-live exceeded ICMP message (type 11), it contains extra data. what is that data and why does it contain it?

icmp fragmentation