This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to locate one packet and the icmp packets using wireshark?

0

When I found a icmp(example: icmp need to fragmented..) packet using wireshark,how can I easily locate the unique packet generating the icmp ?

asked 28 Sep '12, 01:20

chinasan's gravatar image

chinasan
0668
accept rate: 0%


One Answer:

2

That's the nice thing about ICMP, it includes part of the packet that generated the ICMP message. If you look into the packet details pane you will see a second IP layer below the ICMP layer. Open it up and look for the Identification field (ip.id).

You can then right-click on it and choose "Copy -> As filter". Then press CTRL+F to open the search dialog and paste the copied filter in the filter text-box. Choose "UP" for direction and click on "find".

answered 28 Sep '12, 01:32

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Assume your two hosts are 1.1.1.1 and 2.2.2.2. Someone in the middle generates an ICMP telling 1.1.1.1 or 2.2.2.2 to make the packets smaller (icmp 3/4 message). Beauty of Wireshark is that "ip.addr==1.1.1.1" filter will also include the ICMP message from some router in the middel (who sent the type3/4 message). To make it even easier, you can use "icmp and ip.addr==1.1.1.1" to find it. good luck. By the way, it doesn't matter if you choose 1.1.1.1 or 2.2.2.2. Since the ICMP will have both addresses in the ICMP header (as Sake pointed out)

(28 Sep '12, 14:15) hansangb