This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to hide ICMP packets?

0

Hi,

This is the first time I am using wireshark and facing below issue:-

I have created my own dissector named IPTWP(UDP). While trying to filter IPTWP packets, the ICMP packets also get displayed. How to find out whats common between my dissector and ICMP dissector? Also, when looking at the ICMP tree, IPTWP is shown as a part of tree along with UDP and IPv4. Therefore, when i try to set filter to "udp only", the icmp packets are visible. I am not sure whats happening over here. Please help...

Thanks, Priyanka

asked 03 Oct '12, 22:42

priyankaB's gravatar image

priyankaB
6112
accept rate: 0%


One Answer:

0

You're probably seeing ICMP packets sent in response to the IPTWP-over-UDP-over-IP packets, and those ICMP packets include a copy of some or all of the IP datagram in response to which they're sent; Wireshark dissects that copy of the IP datagram, so it finds IPTWP packets (presumably because enough of the IP datagram is in the ICMP response to include the IPTWP packet).

If you don't want to see them, try, for example, "udp and not icmp".

answered 04 Oct '12, 00:23

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

I have already tried [iptwp && !icmp] and it worked i.e. no ICMP packets only IPTWP, but the client was not okay with it. Is there any other way to do it, if I set filter to "iptwp only" it hides all other packets(TCP, UDP, etc) except for ICMP. I am okay with whatever udp does since it is not part of dissector I have created, but iptwp should behave correctly, i.e. when filter is set to "iptwp only" it should hide all other packets - udp, icmp, tcp, etc.

(04 Oct '12, 03:39) priyankaB

No, there's no other way to do it. If the client doesn't like it, they're more than welcome to use a packet sniffer that doesn't dissect the included IP datagram in ICMP packets.

(04 Oct '12, 11:14) Guy Harris ♦♦