This is the source code for the ICMP dissector. When compiled, it is part of libwireshark.dll.
Regarding the ICMP sequence number fields, since some OS's use use big-endian and others use little-endian for the ICMP multi-byte fields, two different filters exist, icmp.seq in case it's big-endian and icmp.seq_le in case it's little-endian. There is no reliable way to know which format the field is in, so both filters are available, and it's left up to the user to determine which one is correct. Both fields are declared as BASE_DEC_HEX, so they're displayed in both decimal and hexadecimal formats. I'm honestly not entirely sure how useful it is to display these fields in hexadecimal, but that's the way the dissector is currently written.
The situation is similar for icmp.ident; however, there appears to be a bug in the source code because both hf_icmp_ident and hf_icmp_ident_le use the same icmp.ident filter. This is the reason why the icmp.ident column displays both of them in the same column. I would suggest opening a Wireshark bug to report this inconsistency and ask for hf_icmp_ident_le to use a separate icmp.ident_le filter, just like icmp.seq_le is used for hf_icmp_seq_num_le.
answered 15 Apr '17, 17:45
cmaynard ♦♦
9.4k●10●38●142
accept rate: 20%
This isn't really an answer but a related question.
And, therefore, it was converted into a question. This is a Q&A site, so each question should be a separate item; questions, whether related or not, should be asked separately.