This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Live capture with traffic filtered for ICMP not displayed

0

I'm just learning Wireshark. While following a tutorial, I set a filter for ICMP traffic and started my capture. I then pinged Google and Yahoo, yet no packets were displayed. I could see that it was capturing network traffic at the bottom of the app window. I stopped the capture, removed the filter, and started another capture of all traffic, but nothing was displayed. Again I could see at the bottom of the app that traffic was being captured . I saved the original ICMP capture to disk, then restarted Wireshark. I was then able to capture and display all traffic again. I then loaded the saved ICMP file, Which I was able to view, but it had all protocols displayed, not just ICMP. I applied the ICMP filter to the saved file, and it filtered properly. OK, so I thought this may have been a one-time glitch, so I tried a live capture with the ICMP filter applied again. I got the same results; capturing traffic, but nothing displayed. I then tried a live capture filtered for DNS. YAY, works great! Did I find a bug, or am I doing something wrong? My OS is Windows 10, Build 10565. My Wireshark version is 1.12.7

asked 13 Oct '15, 13:05

mattmc61's gravatar image

mattmc61
6112
accept rate: 0%

what was your filter expression?

(13 Oct '15, 13:49) Jaap ♦

I simply entered: ICMP

(13 Oct '15, 13:54) mattmc61

One Answer:

0

Please run the following commands and report back if you see ICMP traffic.

dumpcap -D -M

pick the interface you want to capture traffic on

tshark -ni 1 -f "icmp"

Please replace '1' with the ID of your interface.

If you do see ICMP traffic here, it's a problem with the way you are using Wireshark. Then we would need a more detailed description and/or screenshots!

If you don't see ICMP traffic, you either picked the wrong interface (please double check) or there is a problem on your system, like security software intercepting ICMP traffic (AV, IDS, Endpoint Security, etc.)

Another possible problem could be some form of offloading in the network driver. Please check that as well (google will tell you how to do that!).

Regards
Kurt

answered 13 Oct '15, 14:56

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 13 Oct '15, 15:12

I am capturing ICMP traffic, as originally stated, just not with a live capture filtered for ICMP....I'll follow your directions and report back in a bit.

(13 Oct '15, 15:04) mattmc61

OK, I solved it. My ISP is using IPv6 extensively. I was capturing ICMPv6 packets, not ICMP(v4)! There is a little bug though.....

When I set my filter for "ICMP", then start a capture, then ping Google and Yahoo, no ICMP (obviously) packets are displayed (because they are responding with ICMPv6).

HOWEVER.... After stopping the capture, I save the capture to disk. When I load the file, even without a filter, it will not display ANY packets from the file.

If I Stop and then restart Wireshark, The file will then display all the protocols captured.

Thanks for your help, I appreciate your effort!

(13 Oct '15, 15:36) mattmc61

You're welcome!

(13 Oct '15, 15:37) Kurt Knochner ♦