Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Ethereal-users: [Ethereal-users] Re: ICMP

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: ronnie sahlberg <ronniesahlberg@xxxxxxxxx>
Date: Tue, 22 Mar 2005 06:04:34 -0400
Your filter was "show me all packets containing the UDP protocol".

Did the filter the ICMP packet contain a header for the UDP protocol or not?


On Mon, 21 Mar 2005 20:25:22 -0800, Bob Snyder <bob.snyder@xxxxxxx> wrote:
> I disagree with the notion that when filtering for UDP, if it didn't 
> display ICMP packets that come back, Ethereal would be broken. The 
> headers inside the ICMP message are effectively it's payload - it's 
> still an ICMP packet, not UDP (or whatever). The frame does not contain 
> UDP datagrams (or whatever other protocol caused the ICMP message). And 
> it's presumptuous of the program (dare I say the devs?) to presume that 
> you must surely want to see the ICMP messages when what your display 
> filter asks for is only the original message packets.
> 
> The argument that you can use "udp and not icmp" to only see the 
> original UDP seems backwards to me. You should be able to use "udp" to 
> see only the UDP, and "udp and icmp" when you want to see both. Surely 
> that is more intuitive.
> 
> That said, I think using the UDP (or whatever) dissector to decode the 
> header data included in the ICMP messages is brilliant :-)
> 
> Bob S.
> 
> 
> ronnie sahlberg wrote:
> 
> >That is what is supposed to happen.
> >
> >Rationale:
> >You asked for all packets containing the UDP protocol and you got them.
> >
> >An analyzer that filtered for UDP and did not show you these pacekts
> >to you would be broken. Ethereal is not broken in this regard.
> >
> >
> >
> >
> >On Sun, 20 Mar 2005 12:14:27 -0800, Bob Snyder <bob.snyder@xxxxxxx> wrote:
> >  
> >
> >>Why are ICMP packets displayed when a display filter is used that should 
> >>exclude them?
> >>
> >>For example, when running a traceroute, and with a display filter of 
> >>"udp", in addition to the outbound UDP datagrams, the ICMP messages 
> >>returned from each router are displayed as well. I know that the ICMP 
> >>datagrams include the headers of the datagrams that are being reported 
> >>on, but apparently their presence allows them to pass through the 
> >>display filter. Is this behavior intentional? If so, what is the
> rationale?
> >>
> >>Bob Snyder
> >>    
> >>
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube