This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

When I found a icmp(example: icmp need to fragmented..) packet using wireshark,how can I easily locate the unique packet generating the icmp ?

asked 28 Sep '12, 01:20

chinasan's gravatar image

chinasan
0668
accept rate: 0%


That's the nice thing about ICMP, it includes part of the packet that generated the ICMP message. If you look into the packet details pane you will see a second IP layer below the ICMP layer. Open it up and look for the Identification field (ip.id).

You can then right-click on it and choose "Copy -> As filter". Then press CTRL+F to open the search dialog and paste the copied filter in the filter text-box. Choose "UP" for direction and click on "find".

permanent link

answered 28 Sep '12, 01:32

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Assume your two hosts are 1.1.1.1 and 2.2.2.2. Someone in the middle generates an ICMP telling 1.1.1.1 or 2.2.2.2 to make the packets smaller (icmp 3/4 message). Beauty of Wireshark is that "ip.addr==1.1.1.1" filter will also include the ICMP message from some router in the middel (who sent the type3/4 message). To make it even easier, you can use "icmp and ip.addr==1.1.1.1" to find it. good luck. By the way, it doesn't matter if you choose 1.1.1.1 or 2.2.2.2. Since the ICMP will have both addresses in the ICMP header (as Sake pointed out)

(28 Sep '12, 14:15) hansangb
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×74
×2

question asked: 28 Sep '12, 01:20

question was seen: 4,511 times

last updated: 28 Sep '12, 14:17

p​o​w​e​r​e​d by O​S​Q​A