All of the DSCP 22 packets are not expected since my filter is only for DSCP 46 packets. All of these DSCP 22 packets are ICMP, stating the destination unreachable (Port unreachable). Is there a reason these packets are being displayed? asked 16 Sep '15, 08:38  MotoRider edited 16 Sep '15, 10:38  JeffMorriss ♦ |
One Answer:
I'm guessing that the embedded IP part of those ICMP packets have DSCP==46, right? This is a commonly asked question. The trick is to know/remember that the display filter In your case the frame has 2 fields named There has been a lot of discussion about this type of problem, in particular to find a method to specify that you're only interested in, for example, the first occurrence of the field within the frame but so far nothing has been done. answered 16 Sep '15, 10:37 JeffMorriss ♦ |
Correct, there is an embedded IP part, which does have the DSCP==46. I was expecting that it would only find the outer one and then stop, but as you say field exist elsewhere in the frame.
Unfortunately when I do a ip.dsfield.dscp!=48, I still get packets with 48 in the DSCP column.
Yep, that's the same thing. The outer part has ip.dsfield.dscp!=48 so it gets included, even when the inner part has ip.dsfield.dscp==48. That's why the filter entry box is colored yellow ('this might behave differently than you expect').
The correct filter syntax is !(ip.dsfield.dscp==48)