Wireshark-users: Re: [Wireshark-users] problem with display filter

From: "Jim Young" <SYSJHY@xxxxxxxxxxxxxxx>
Date: Thu, 16 Nov 2006 11:46:35 -0500
Hello Benoit,

>>> "Benoit Lanteigne" <lanteib@xxxxxxxxxxx> 11/16/06 10:42 AM >>>
> Hi everyone,
> 
> I am a new user of wireshark and I have a problem.  I have a file
> containing 15 minutes of captured traffic.  I am trying to use a
display
> filter to filter the source IP like this ip.src == 10.10.0.104.  In
most
> case this works fine, but for some IP it does not.  For instance, if
I
> use ip.src == 10.10.0.108 I would suppose that only packets with
> 10.10:.0.108 as source should be displayed but I also get packets
with
> source IP like 10.10.4.1 and 207.102.162.1.
> 
> If anyone have an idea what is happening, please let me know.  Thank
> you in advance.

Since the unexpected "Source" IP addresses you have 
seen have ".1" as the rightmost IP address component, 
and since ".1" addresses are often used in router 
addresses, I'm guessing that you are seeing ICMP error 
packets.

For example an ICMP error packet from a router will include 
the beginning of the packet that triggered the error.  Since 
Wireshark knows that ICMP error packets contain the 1st 
part of another packet it will attempt to dissect the ICMP 
payload.  Although the ICMP error packet originated from 
one host (which is what you will see in the "Source" column, 
the ICMP payload could contain a packet that originated 
from the host you are filtering for.  This would match your 
filter in a subtle but very powerful way!

But this trace wouldn't by chance contain data with some 
type of encapsulated payload?

If it's not an ICMP error, an expansion the ethernet frame 
will show you if you have some sort of tunneling going on
(look at the [Protocols in frame: eth:...] entry in the packet
details view).

You will see similar non-obvious matching behavior if your 
traces have packets from the various tunneling protocols 
such as GRE (Generic Router Encapsulation).  

I hope this helps,

Jim Young