Wireshark-bugs: [Wireshark-bugs] [Bug 11965] ICMP error messages wrongly filtered on IP source a

Date: Wed, 06 Jan 2016 16:04:38 +0000

Comment # 9 on bug 11965 from
(In reply to Erwin Van de Velde from comment #8)
> That would also filter out ICMP errors originating from 10.16.10.176 in
> reply to an incoming packet. ICMP error 11 (TTL exceeded) causes the same
> issue too btw and who knows what other protocols might cause it, e.g. IP in
> IP etc? I do not think this is the proper way to do it.
> 
> It would be so much easier if I could tell the filter 'source IP address of
> outer header' and other things like that.

I don't disagree that it would be easier and I've proposed enhancing Wireshark
to allow an "occurrence" indicator like tshark allows, but to date nobody has
had the time/desire to implement the idea.

I've just given you a work-around example so that you can filter out the 1 case
from the capture file you posted.  If you don't care about any ICMP packets,
regardless of type, then you could use the simpler filter:

    (ip.src="" and !icmp

If you also want ICMP packets originating from 10.16.10.176, then maybe the
following will suffice for now:

    (ip.src="" and !(ip.dst==10.16.10.176)


You are receiving this mail because:
  • You are watching all bug changes.