Jim,
Thanks very much for your explanation. Precisely, it's a port
unreachable message.
I'll look further into it.
Regards,
Leo
-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-
bounces@xxxxxxxxxxxxx] On Behalf Of Jim Young
Sent: Wednesday, March 05, 2008 11:39 AM
To: wireshark-users@xxxxxxxxxxxxx
Subject: Re: [Wireshark-users] filter for snmp doesn't work (also
shows ICMP???)
Hello Leo,
>>> <leonardo.lagos@xxxxxxxxxxxxxxxxxxxxxxx> 03/05/08 12:07 PM >>>
> Hi,
>
> I have a capture file where I have added the following filter:
>
> ip.proto==0x11 and udp.port==162
>
> This filter works, and show my SNMP traps, but also shows an ICMP
> packet.. However, ip.proto for ICMP is 0x01, not 0x11....
What kind of ICMP packet is it? Is it an ICMP error packet of some
sort?
I'm guessing that the Info column displays something like the
"Destination unreachable (Port unreachable)"
or some other type of ICMP error message.
If that's the case, if you drill into the ICMP packet you will find
the first
part of an SNMP packet. Wiresharks's display filter captured this
packet
because the ICMP dissector knows enough to hand off the payload of
these error packets for further dissection! ;-)
If you really do NOT want to see these ICMP packets then you could
append a "and !snmp" to your filter.
But I wouldn't necessarily do that...
Interestingly it is the PRESENCE of these unexpected ICMP packets
that oftens directs one to the underlying problem! (I'm assuming that
you are sniffing these packets to diagnose some problem).
This type ICMP error message is often generated by a router (or host)
because of ACLs restrictions or perhaps the service that the packet
was tying to reach is not in fact up (Port unreachable). Pay
particular
attention to the IP address that generated the ICMP packet.
I hope this helps,
Jim Young
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users
