This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to filter out unwanted ICMP packets?

0

I have a specific RTP steam that --for whatever reason-- has ICMP packets that I do not want. Because of this I cannot properly decode the pcap and run the necessary scripts. What tshark command can be used to ensure that no ICMP (only UDP) packets are extracted from the raw initial packet capture?

I have attempted the following command to try and NOT read ICMP packets:

tshark -r raw.pcap -o rtp.heuristic_rtp:TRUE -2 -R rtp.ssrc==0x62bf9a1d -O "h264 && not icmp" -w h264.pcap

...initially I had h264 alone. I have tried other filters like "-2 -R !icmp", "-2 -R not icmp". These do not work. Anyone know how to do this? In fact, not just for ICMP, how can I make sure I am ONLY getting UDP?

asked 18 Feb '16, 17:27

testname0110's gravatar image

testname0110
15559
accept rate: 75%

The ICMP packets most likely are "Destination Port Unreachable" replies to received RTP traffic before the RTP/UDP port is available/open. Normal condition.

(18 Feb '16, 19:59) Rooster_50

One Answer:

1

The -O option only controls which protocols are expanded when displayed; it does not control which protocols are written to the output file or displayed. In fact, your usage of the -O option is wrong as it should be a comma-separated list of protocols you want expanded. See the tshark man page for more information.

To achieve what you desire, try the following:

tshark -r raw.pcap -o rtp.heuristic_rtp:TRUE -Y "udp and !icmp" -O "h264" -w h264.pcap

answered 18 Feb '16, 19:21

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%