Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-users: Re: [Wireshark-users] finding a missing ICMP Echo Reply

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Martin Isaksson <martin.isaksson@xxxxxxxxxxxx>
Date: Fri, 5 Oct 2012 18:08:01 +0200
Hi Stuart,

First I should say I am using Wureshark Version 1.8.2 (SVN Rev 44520 from /trunk-1.8).

I took an old capture file with ICMP pings, deleted one reply with frame.number != X and saved.
Then I used the filter below, and the only packet listed was the lone request.

icmp.resp_in seems only to be present in frames that Wireshark can find the response to.
The same for icmp.resp_to in the replies.

!(icmp.resp_in or icmp.resp_to) should be equivalent. The filter suggested by Gerald works for me as well, and I like it more than mine :)

Kind regards,
Martin
 

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Gerald Combs
Sent: den 5 oktober 2012 12:03
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] finding a missing ICMP Echo Reply

Can you try "(icmp.type == 8) && !icmp.resp_in"? That should show any request without a matching response.

On 10/5/12 8:35 AM, Stuart Kendrick wrote:
> I'm stumbling on this.
> 
> Filtering on icmp.resp_in shows me all the Requests Filtering on 
> icmp.resp_to shows me all the Replies
> 
> Filtering on !icmp.resp_in shows me everything Filtering on 
> !icmp.resp_to shows me everything
> 
> Filtering on "!icmp.resp_in and !icmp_resp_to" shows me everything
> 
> Reading the description of these expressions ... I don't understand 
> what they do:
> 
> icmp_resp_in - Response In (the response to this request is in this frame)
>     How can an ICMP Request and an ICMP Reply share the same frame?
> icmp_resp_to = Response To (This is the response to the request in 
> this
> frame)
>     How do I specify which request?
> 
> Would you elaborate?
> 
> --sk
> 
> On 10/5/2012 8:22 AM, Martin Isaksson wrote:
>> Hi Stuart!
>>
>> !icmp.resp_in and !icmp.resp_to
>>
>> There might be an easier way :)
>>
>> /M
>>
>>
> 
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>            
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube