This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to create ICMP filters with both type and code ?

0

ICMP filter filtering only Destination Unreachable(type) - icmp[0] == 3 .

ICMP filter filtering Destination Unreachable(type),Destination host unreachable(code) - icmp[0:2] == ?

Regards Dinged

asked 27 Mar '13, 06:14

Dinged's gravatar image

Dinged
367711
accept rate: 0%


2 Answers:

4

The capture filter you are probably thinking of is:

icmp[0:2]==0x0301

But to be more descriptive, you could use something like this instead:

icmp[icmptype]==icmp-unreach and icmp[icmpcode]==1

Note that the compiled BPF code isn't exactly the same though. It seems that the first format is slightly more efficient, taking 2 fewer instructions.

Compare icmp[0:2]==0x0301:

(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 10
(002) ldb      [23]
(003) jeq      #0x1             jt 4    jf 10
(004) ldh      [20]
(005) jset     #0x1fff          jt 10   jf 6
(006) ldxb     4*([14]&0xf)
(007) ldh      [x + 14]
(008) jeq      #0x301           jt 9    jf 10
(009) ret      #65535
(010) ret      #0

to icmp[icmptype]==icmp-unreach and icmp[icmpcode]==1:

(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 12
(002) ldb      [23]
(003) jeq      #0x1             jt 4    jf 12
(004) ldh      [20]
(005) jset     #0x1fff          jt 12   jf 6
(006) ldxb     4*([14]&0xf)
(007) ldb      [x + 14]
(008) jeq      #0x3             jt 9    jf 12
(009) ldb      [x + 15]
(010) jeq      #0x1             jt 11   jf 12
(011) ret      #65535
(012) ret      #0

Refer to the pcap-filter man page for more information.

(If instead you're looking for a Wireshark display filter, then refer to pfuender's answer.)

answered 27 Mar '13, 09:35

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

edited 27 Mar '13, 20:56

Great detailed answer. I am wondering how does the hex value 0x0301 come about ? 03 = type 3, 01 = code 1 ?

(27 Mar '13, 20:15) Dinged
1

The 1st byte of an ICMP packet is the type, and type 3 is the "Destination Unreachable" message. The 2nd byte of the ICMP packet is the code, and code 1 of a "Destination Unreachable" message is "host unreachable". For more details refer to RFC 792 or to your favorite on-line help for ICMP, such as Inacon's help for the ICMP code field or even wikipedia's article on ICMP.

(27 Mar '13, 21:02) cmaynard ♦♦

Oh, after reading Inacon's guide, then did I know that the type and code values are actually hex values. Thanks for the link to this great resource.

(28 Mar '13, 07:33) Dinged

3

You can combine several filters using '&&', so you can use the two filters as you've requested. Here's an example to only show ICMP 'Host Unreachable' messages:

(icmp.type==3) && (icmp.code==1)

answered 27 Mar '13, 07:12

pfuender's gravatar image

pfuender
564
accept rate: 0%

Sorry for not being clear in the question, I am looking for a capture filter. But nevertheless, good to know. :D

(27 Mar '13, 20:15) Dinged