Hello,
I'm having a problem with using "-e" flag with tshark. While "tshark -e
ip.src" works as expected most of the time, it behaves unexpectedly when
dealing with ICMP Destination or Host Unreachable packets.
ICMP Destination and Host Unreachable packets are unusual in that they
contain the IP header of the packet that caused the error. Wireshark
seems to name both IP src address fields from the error packet as well
as the nested packet that caused the error the same: ip.src. This makes
Wireshark's filter engine include packets if they match *either* of the
ip.src fields, which can be a little confusing, but the problem can be
worked around for my purposes.
The real problem I'm having is that tshark -e seems to use a nested
packet's ip.src field as the data it returns, which is unexpected; I
really want the src address of the router that generated the ICMP Host
Unreachable message, not the src address of the machine that sent the
packet that caused the error.
Is there a more explicit way (than the string "ip.src") to specify to
the Wireshark packet dissection engine that I really want the top level
ip.src value? Furthermore, is there an explicit way to specify that I
want the nested ip.src value?
These problems carry to other ip headers, not just the src address field.
Any and all information is appreciated. Thanks!
Armen
--
Armen Babikyan
MIT Lincoln Laboratory
armenb@xxxxxxxxxx . 781-981-1796
