From: "Jason House"
Sent: Thursday, November 07, 2002 7:24 AM
Subject: [Ethereal-dev] problems with packets inside ICMP
> I hit 2 "issues" yesterday
> 1. can't filter on the copy of the packet embedded in the ICMP packet
> I wanted to write a filter for fields inside the packet that was
> bounced (ICMP supplies a copy of the packet in its payload)... I
> discovered that I could not do so. There is no way to filter fields
> that belong to one protocol, but happen to be inside of the tree for
> another protocol (ie. the copied IP packet as the ICMP payload).
> I remember when I've looked at the filtering code in the past, that
> a particular subtree was not searched for a filterable field if the
> subtree was not for the protocol that "owned" that field. So items like
> "ip.dst" inside of an icmp packet is not filterable. The easiest "fix"
> would make the filtering slower...
That would be a bug. I have previously filtered on various fields and this
have
still picked up fields in protocols encapsulated inside ICMP.
Maybe someone has changed something?
>
> 2. checksum calculations
> The IP checksum was being marked as incorrect, while it was correct
> in the original packet. I don't think ICMP modifies the header... I
> don't know exactly where the problem is, but have not dug down for it
> either.
Is the entire original packet encapsulated in the ICMP packet?
More than likely, your ICMP packet only contains the first few bytes of the
offending IP
packet and not the full IP packet. That is why the checksum is incorrect.