I disagree with the notion that when filtering for UDP, if it didn't
display ICMP packets that come back, Ethereal would be broken. The
headers inside the ICMP message are effectively it's payload - it's
still an ICMP packet, not UDP (or whatever). The frame does not contain
UDP datagrams (or whatever other protocol caused the ICMP message). And
it's presumptuous of the program (dare I say the devs?) to presume that
you must surely want to see the ICMP messages when what your display
filter asks for is only the original message packets.
The argument that you can use "udp and not icmp" to only see the
original UDP seems backwards to me. You should be able to use "udp" to
see only the UDP, and "udp and icmp" when you want to see both. Surely
that is more intuitive.
That said, I think using the UDP (or whatever) dissector to decode the
header data included in the ICMP messages is brilliant :-)
Bob S.
ronnie sahlberg wrote:
That is what is supposed to happen.
Rationale:
You asked for all packets containing the UDP protocol and you got them.
An analyzer that filtered for UDP and did not show you these pacekts
to you would be broken. Ethereal is not broken in this regard.
On Sun, 20 Mar 2005 12:14:27 -0800, Bob Snyder <bob.snyder@xxxxxxx> wrote:
Why are ICMP packets displayed when a display filter is used that should
exclude them?
For example, when running a traceroute, and with a display filter of
"udp", in addition to the outbound UDP datagrams, the ICMP messages
returned from each router are displayed as well. I know that the ICMP
datagrams include the headers of the datagrams that are being reported
on, but apparently their presence allows them to pass through the
display filter. Is this behavior intentional? If so, what is the rationale?
Bob Snyder