Filters and ICMP

asked 2023-05-26 13:16:06 +0000

Hello,

let's say i captured two packets

From 192.168.1.50 to 192.168.1.1 (empty udp from nmap)
From 192.168.1.1 to 192.168.1.50 (ICMP - Port unreachable)

I use the filter: ip.src == 192.168.1.50

Both packets are still visible

I know that my first IP-Packet is send back inside the ICMP Reply, and it looks like wireshark also reads the header from the packet inside the ICMP.

can i somehow define a filter or set an option anyware so that the filter only reads the address from the not nested ip Packet?

Using the Filter ip.scr == 192.168.1.50 && !icmp works in this case but is not a nice solution

Thanks in advance

edit retag flag offensive close merge delete

add a comment

1 Answer

Sort by » oldest newest most voted

answered 2023-05-26 15:18:00 +0000

cmaynard

11115 ●11 ●317 ●165 https://www.igt.com/

If your version of Wireshark is version 4.0.0 or newer, then you can use the layer operator to restrict filtering to match only the first layer, like so:

ip.src#1 eq 192.168.1.50

The layer operator is described in the wireshark-filter man page.

edit flag offensive delete link

Comments

works perfectly

Max Helbig ( 2023-05-30 05:18:48 +0000 )edit

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2023-05-26 13:16:06 +0000

Seen: 781 times

Last updated: May 26 '23

Filters and ICMP edit