This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi,

i was filtering my log file when i suddenly saw a packet with tcp.ports. BUT it was an ICMP packet. After more investigation, i saw, that it is an icmp redirect encapsulating an ipv4 tcp packet. Wireshark however parses this encapsulated port and tells me, that this packet uses this port. Why is it like this? How can i filter them to not tell me that this icmp request is using that port? Currently i use -e tcp.srcport @ TShark. This leads to a packet with a tcp port but NO stream number. :(

Greetings

asked 08 Jun '16, 23:15

login47's gravatar image

login47
6112
accept rate: 0%

btw, this page tells me everytime that the captcha was invalid. however, it worked.

(08 Jun '16, 23:16) login47

Protocols can be stacked, hence it's impossible to tell which level to include or exclude for a filter (although this is being thought about, it becomes very complex quickly).

Prefix your (capture/display) filter 'not icmp and tcp...' to get rid of the ICMP packets.

permanent link

answered 09 Jun '16, 01:06

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

thanks for the answer, but I want all information in one big csv. Thats why I want all packets to be in there, and for each packet the tcp port. But having ICMP request with a tcp.port is not really good :/ however, i was able to filter that with tcp.len for example. Thanks for the answer though!

(09 Jun '16, 06:33) login47
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×74
×4

question asked: 08 Jun '16, 23:15

question was seen: 1,667 times

last updated: 09 Jun '16, 06:33

p​o​w​e​r​e​d by O​S​Q​A