Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Ethereal-users: Re: [Ethereal-users] Re: ICMP

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Andrew Hood <ajhood@xxxxxxxxx>
Date: Wed, 23 Mar 2005 08:04:01 +1100
Olaf van der Spek wrote:
On Mon, 21 Mar 2005 20:25:22 -0800, Bob Snyder <bob.snyder@xxxxxxx> wrote:

I disagree with the notion that when filtering for UDP, if it didn't
display ICMP packets that come back, Ethereal would be broken. The
headers inside the ICMP message are effectively it's payload - it's
still an ICMP packet, not UDP (or whatever). The frame does not contain
UDP datagrams (or whatever other protocol caused the ICMP message). And


But why would the filter (only) apply to the frame layer and not to
another layer?
Sure, UDP on top of IP is the most common variant, but why should it
be the only variant the filter matches?


it's presumptuous of the program (dare I say the devs?) to presume that
you must surely want to see the ICMP messages when what your display
filter asks for is only the original message packets.


You didn't ask for 'udp directly on top of ip', but just for udp.

Is there a way of saying that a filter is only to match on headers and not payload, and vice versa?

--
There's no point in being grown up if you can't be childish sometimes.
                -- Dr. Who