Hi, This is the first time I am using wireshark and facing below issue:- I have created my own dissector named IPTWP(UDP). While trying to filter IPTWP packets, the ICMP packets also get displayed. How to find out whats common between my dissector and ICMP dissector? Also, when looking at the ICMP tree, IPTWP is shown as a part of tree along with UDP and IPv4. Therefore, when i try to set filter to "udp only", the icmp packets are visible. I am not sure whats happening over here. Please help... Thanks, Priyanka asked 03 Oct '12, 22:42  priyankaB |
One Answer:
You're probably seeing ICMP packets sent in response to the IPTWP-over-UDP-over-IP packets, and those ICMP packets include a copy of some or all of the IP datagram in response to which they're sent; Wireshark dissects that copy of the IP datagram, so it finds IPTWP packets (presumably because enough of the IP datagram is in the ICMP response to include the IPTWP packet). If you don't want to see them, try, for example, "udp and not icmp". answered 04 Oct '12, 00:23  Guy Harris ♦♦ |
I have already tried [iptwp && !icmp] and it worked i.e. no ICMP packets only IPTWP, but the client was not okay with it. Is there any other way to do it, if I set filter to "iptwp only" it hides all other packets(TCP, UDP, etc) except for ICMP. I am okay with whatever udp does since it is not part of dissector I have created, but iptwp should behave correctly, i.e. when filter is set to "iptwp only" it should hide all other packets - udp, icmp, tcp, etc.
No, there's no other way to do it. If the client doesn't like it, they're more than welcome to use a packet sniffer that doesn't dissect the included IP datagram in ICMP packets.