When I found a icmp(example: icmp need to fragmented..) packet using wireshark,how can I easily locate the unique packet generating the icmp ? asked 28 Sep '12, 01:20  chinasan |
One Answer:
That's the nice thing about ICMP, it includes part of the packet that generated the ICMP message. If you look into the packet details pane you will see a second IP layer below the ICMP layer. Open it up and look for the Identification field (ip.id). You can then right-click on it and choose "Copy -> As filter". Then press CTRL+F to open the search dialog and paste the copied filter in the filter text-box. Choose "UP" for direction and click on "find". answered 28 Sep '12, 01:32  SYN-bit ♦♦ |
Assume your two hosts are 1.1.1.1 and 2.2.2.2. Someone in the middle generates an ICMP telling 1.1.1.1 or 2.2.2.2 to make the packets smaller (icmp 3/4 message). Beauty of Wireshark is that "ip.addr==1.1.1.1" filter will also include the ICMP message from some router in the middel (who sent the type3/4 message). To make it even easier, you can use "icmp and ip.addr==1.1.1.1" to find it. good luck. By the way, it doesn't matter if you choose 1.1.1.1 or 2.2.2.2. Since the ICMP will have both addresses in the ICMP header (as Sake pointed out)