This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TCP in ICMP encapsulated includes a tcp.port number

0

Hi,

i was filtering my log file when i suddenly saw a packet with tcp.ports. BUT it was an ICMP packet. After more investigation, i saw, that it is an icmp redirect encapsulating an ipv4 tcp packet. Wireshark however parses this encapsulated port and tells me, that this packet uses this port. Why is it like this? How can i filter them to not tell me that this icmp request is using that port? Currently i use -e tcp.srcport @ TShark. This leads to a packet with a tcp port but NO stream number. :(

Greetings

asked 08 Jun '16, 23:15

login47's gravatar image

login47
6112
accept rate: 0%

btw, this page tells me everytime that the captcha was invalid. however, it worked.

(08 Jun '16, 23:16) login47

One Answer:

1

Protocols can be stacked, hence it's impossible to tell which level to include or exclude for a filter (although this is being thought about, it becomes very complex quickly).

Prefix your (capture/display) filter 'not icmp and tcp...' to get rid of the ICMP packets.

answered 09 Jun '16, 01:06

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

thanks for the answer, but I want all information in one big csv. Thats why I want all packets to be in there, and for each packet the tcp port. But having ICMP request with a tcp.port is not really good :/ however, i was able to filter that with tcp.len for example. Thanks for the answer though!

(09 Jun '16, 06:33) login47