On Apr 16, 2013, at 3:28 PM, delarge <charlie@xxxxxxxxxxx> wrote:
> I'm a new user of Wireshark and I'm capturing UDP traffic. Startly I used the "udp" filter but appears some undesirable ICMP packets, so then googling I've found the "udp && !icmp" filter to avoid capture ICMP packets.
>
> It's all right till here, but when I export the capture as plain text, the ICMP packets appear again. Seems like the filter just works in the main screen of Wireshark. What can I do to capture just UDP traffic?
Use the filter "udp", and use it as a *capture* filter (when starting the capture with Capture -> Options) rather than as a *display* filter (in the main screen).
"udp && !icmp" is used as a *display* filter to handle the fact that some ICMP packets contain a partial or complete copy of the packet for which they're reporting a problem, so they might contain UDP packets. For *capture* filters, only the outermost packet layer is tested, so "udp" matches only UDP packets, not ICMP packets that happen to contain a copy of a UDP packet.