This is our old Q&A Site. Please post any new questions and answers at

Well, I was trying to compare some capture and I did find a strange, to me, condition. If I sum the number of packets of the filter ip.src and the number of packets of the filter ip.dst I'm not getting the same packet number of the filter ip.addr. After a deep analysis I've found that the filter ip.src is including the icmp unreachable directed to the source (and not from!!) because in their payload the orginal source is really the ip.src. So far, I can't compare efficiently upstream and downstream packet number, because they're overlapping...any idea?

asked 07 Feb '12, 00:13

stefanor's gravatar image

accept rate: 0%

There you found a common problem, because even in statistics, that gets interesting when there are more packets in the different conversations compared to total packets in the trace file ;)

As a workaround I'd always specifically filter out certain ICMP types, because the ICMP "quotes" have that issue or go for filtering ip.src and MAC src/dst address in parallel, making sure you're only looking at packets from or to a certain workstation.

permanent link

answered 07 Feb '12, 00:36

Landi's gravatar image

accept rate: 28%

edited 07 Feb '12, 00:36

thanks Landi, I'm already filtering out all the ICMP for this reason... Maybe I'm too easy, but I'm not seeing the right behavior implementation as a hard task..

(08 Feb '12, 13:35) stefanor
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 07 Feb '12, 00:13

question was seen: 2,741 times

last updated: 08 Feb '12, 13:43

p​o​w​e​r​e​d by O​S​Q​A