Wireshark-users: Re: [Wireshark-users] filter for snmp doesn't work (also shows ICMP???)

From: Sake Blok <sake@xxxxxxxxxx>
Date: Wed, 5 Mar 2008 18:29:12 +0100
On Wed, Mar 05, 2008 at 11:07:36AM -0600, leonardo.lagos@xxxxxxxxxxxxxxxxxxxxxxx wrote:
> Hi,
> 
> I have a capture file where I have added the following filter:
> 
> ip.proto==0x11 and udp.port==162

Actually, the filter udp.port==162 implies that the packet needs to
contain udp traffic (ie ip.proto==0x11). So the filter udp.port==162
would have given you the same results.

> This filter works, and show my SNMP traps, but also shows an ICMP 
> packet.. However, ip.proto for ICMP is 0x01, not 0x11....

If an udp message is sent to a host that does not listen on the 
specific udp port, an "icmp destination port unreachable" message
is sent back to the src-ip of the udp message. This message will
have the first part of the ip header and payload as the icmp
payload.

Wireshark dissects the icmp payload as IP in these cases so that 
it's user can easily see which traffic has hit a closed port.
As the filter ip.proto==0x11 means "Show me all packets in which
there is an ip header containing the value 0x11 in protocol", the
payload in the icmp port unreachable message will match the filter.

If you don't want these icmp messages to appear after applying a
filter, you could filter like this:

"udp.port==162 and not icmp"
 

Hope this helps,
Cheers,
     Sake