This is the source code for the ICMP dissector. When compiled, it is part of libwireshark.dll.
Regarding the ICMP sequence number fields, since some OS's use use big-endian and others use little-endian for the ICMP multi-byte fields, two different filters exist,
icmp.seq in case it's big-endian and
icmp.seq_le in case it's little-endian. There is no reliable way to know which format the field is in, so both filters are available, and it's left up to the user to determine which one is correct. Both fields are declared as
BASE_DEC_HEX, so they're displayed in both decimal and hexadecimal formats. I'm honestly not entirely sure how useful it is to display these fields in hexadecimal, but that's the way the dissector is currently written.
The situation is similar for
icmp.ident; however, there appears to be a bug in the source code because both
hf_icmp_ident_le use the same
icmp.ident filter. This is the reason why the
icmp.ident column displays both of them in the same column. I would suggest opening a Wireshark bug to report this inconsistency and ask for
hf_icmp_ident_le to use a separate
icmp.ident_le filter, just like
icmp.seq_le is used for
answered 15 Apr '17, 17:45
accept rate: 20%
This isn't really an answer but a related question.
And, therefore, it was converted into a question. This is a Q&A site, so each question should be a separate item; questions, whether related or not, should be asked separately.