This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Some questions about ICMP dissection

0

Version 2.2.5 (v2.2.5-0-g440fd4d)
icmp.ident Identifier (BE) Unsigned integer, 2 bytes 1.0.0 to 2.2.5
icmp.seq Sequence number (BE) Unsigned integer, 2 bytes 1.0.0 to 2.2.5
icmp.seq_le Sequence number (LE) Unsigned integer, 2 bytes 1.4.0 to 2.2.5

  1. When added as a column: icmp.seq and icmp.seq_le display two bytes and only one copy (be/le) which is properly formatted. icmp.ident displays both be and le in the same column
  2. None of them seem to sort properly when column header clicked in 2.2.5
  3. Is the ICMP dissector in a dll/binary or is there an ASCII file with its config?

asked 12 Apr '17, 13:11

bubbasnmp's gravatar image

bubbasnmp
6112
accept rate: 0%

edited 15 Apr '17, 15:24

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

This isn't really an answer but a related question.

(12 Apr '17, 13:12) bubbasnmp

And, therefore, it was converted into a question. This is a Q&A site, so each question should be a separate item; questions, whether related or not, should be asked separately.

(15 Apr '17, 15:25) Guy Harris ♦♦

One Answer:

0

This is the source code for the ICMP dissector. When compiled, it is part of libwireshark.dll.

Regarding the ICMP sequence number fields, since some OS's use use big-endian and others use little-endian for the ICMP multi-byte fields, two different filters exist, icmp.seq in case it's big-endian and icmp.seq_le in case it's little-endian. There is no reliable way to know which format the field is in, so both filters are available, and it's left up to the user to determine which one is correct. Both fields are declared as BASE_DEC_HEX, so they're displayed in both decimal and hexadecimal formats. I'm honestly not entirely sure how useful it is to display these fields in hexadecimal, but that's the way the dissector is currently written.

The situation is similar for icmp.ident; however, there appears to be a bug in the source code because both hf_icmp_ident and hf_icmp_ident_le use the same icmp.ident filter. This is the reason why the icmp.ident column displays both of them in the same column. I would suggest opening a Wireshark bug to report this inconsistency and ask for hf_icmp_ident_le to use a separate icmp.ident_le filter, just like icmp.seq_le is used for hf_icmp_seq_num_le.

answered 15 Apr '17, 17:45

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%