Wireshark-users: Re: [Wireshark-users] filter for snmp doesn't work (also shows ICMP???)

From: "Jim Young" <SYSJHY@xxxxxxxxxxxxxxx>
Date: Wed, 05 Mar 2008 12:39:10 -0500
Hello Leo,

>>> <leonardo.lagos@xxxxxxxxxxxxxxxxxxxxxxx> 03/05/08 12:07 PM >>>
> Hi,
> 
> I have a capture file where I have added the following filter:
> 
> ip.proto==0x11 and udp.port==162
> 
> This filter works, and show my SNMP traps, but also shows an ICMP 
> packet.. However, ip.proto for ICMP is 0x01, not 0x11....

What kind of ICMP packet is it?   Is it an ICMP error packet of some sort?

I'm guessing that the Info column displays something like the 

  "Destination unreachable (Port unreachable)" 

or some other type of ICMP error message.  

If that's the case, if you drill into the ICMP packet you will find the first 
part of an SNMP packet.   Wiresharks's display filter captured this packet 
because the ICMP dissector knows enough to hand off the payload of
these error packets for further dissection! ;-)

If you really do NOT want to see these ICMP packets then you could 
append a "and !snmp" to your filter.

But I wouldn't necessarily do that...

Interestingly it is the PRESENCE of these unexpected ICMP packets 
that oftens directs one to the underlying problem! (I'm assuming that
you are sniffing these packets to diagnose some problem).

This type ICMP error message is often generated by a router (or host) 
because of ACLs restrictions or perhaps the service that the packet
was tying to reach is not in fact up (Port unreachable).   Pay particular
attention to the IP address that generated the ICMP packet.  

I hope this helps,

Jim Young