This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

the filter ip.addr is not the sum of the two filters ip.src ip.dst

0

Well, I was trying to compare some capture and I did find a strange, to me, condition. If I sum the number of packets of the filter ip.src and the number of packets of the filter ip.dst I'm not getting the same packet number of the filter ip.addr. After a deep analysis I've found that the filter ip.src is including the icmp unreachable directed to the source (and not from!!) because in their payload the orginal source is really the ip.src. So far, I can't compare efficiently upstream and downstream packet number, because they're overlapping...any idea?

asked 07 Feb '12, 00:13

stefanor's gravatar image

stefanor
1111
accept rate: 0%


One Answer:

0

There you found a common problem, because even in statistics, that gets interesting when there are more packets in the different conversations compared to total packets in the trace file ;)

As a workaround I'd always specifically filter out certain ICMP types, because the ICMP "quotes" have that issue or go for filtering ip.src and MAC src/dst address in parallel, making sure you're only looking at packets from or to a certain workstation.

answered 07 Feb '12, 00:36

Landi's gravatar image

Landi
2.3k51442
accept rate: 28%

edited 07 Feb '12, 00:36

thanks Landi, I'm already filtering out all the ICMP for this reason... Maybe I'm too easy, but I'm not seeing the right behavior implementation as a hard task..

(08 Feb '12, 13:35) stefanor