ICMP filter filtering only Destination Unreachable(type) - icmp[0] == 3 . ICMP filter filtering Destination Unreachable(type),Destination host unreachable(code) - icmp[0:2] == ? Regards Dinged asked 27 Mar '13, 06:14 Dinged |
2 Answers:
The capture filter you are probably thinking of is:
But to be more descriptive, you could use something like this instead:
Note that the compiled BPF code isn't exactly the same though. It seems that the first format is slightly more efficient, taking 2 fewer instructions. Compare
to
Refer to the pcap-filter man page for more information. (If instead you're looking for a Wireshark display filter, then refer to pfuender's answer.) answered 27 Mar '13, 09:35 cmaynard ♦♦ edited 27 Mar '13, 20:56 |
You can combine several filters using '&&', so you can use the two filters as you've requested. Here's an example to only show ICMP 'Host Unreachable' messages:
answered 27 Mar '13, 07:12 pfuender Sorry for not being clear in the question, I am looking for a capture filter. But nevertheless, good to know. :D (27 Mar '13, 20:15) Dinged |
Great detailed answer. I am wondering how does the hex value 0x0301 come about ? 03 = type 3, 01 = code 1 ?
The 1st byte of an ICMP packet is the type, and type 3 is the "Destination Unreachable" message. The 2nd byte of the ICMP packet is the code, and code 1 of a "Destination Unreachable" message is "host unreachable". For more details refer to RFC 792 or to your favorite on-line help for ICMP, such as Inacon's help for the ICMP code field or even wikipedia's article on ICMP.
Oh, after reading Inacon's guide, then did I know that the type and code values are actually hex values. Thanks for the link to this great resource.