Wireshark mailing list archives
Re: finding a missing ICMP Echo Reply
From: Martin Isaksson <martin.isaksson () ericsson com>
Date: Fri, 5 Oct 2012 18:08:01 +0200
Hi Stuart, First I should say I am using Wureshark Version 1.8.2 (SVN Rev 44520 from /trunk-1.8). I took an old capture file with ICMP pings, deleted one reply with frame.number != X and saved. Then I used the filter below, and the only packet listed was the lone request. icmp.resp_in seems only to be present in frames that Wireshark can find the response to. The same for icmp.resp_to in the replies. !(icmp.resp_in or icmp.resp_to) should be equivalent. The filter suggested by Gerald works for me as well, and I like it more than mine :) Kind regards, Martin -----Original Message----- From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] On Behalf Of Gerald Combs Sent: den 5 oktober 2012 12:03 To: Community support list for Wireshark Subject: Re: [Wireshark-users] finding a missing ICMP Echo Reply Can you try "(icmp.type == 8) && !icmp.resp_in"? That should show any request without a matching response. On 10/5/12 8:35 AM, Stuart Kendrick wrote:
I'm stumbling on this. Filtering on icmp.resp_in shows me all the Requests Filtering on icmp.resp_to shows me all the Replies Filtering on !icmp.resp_in shows me everything Filtering on !icmp.resp_to shows me everything Filtering on "!icmp.resp_in and !icmp_resp_to" shows me everything Reading the description of these expressions ... I don't understand what they do: icmp_resp_in - Response In (the response to this request is in this frame) How can an ICMP Request and an ICMP Reply share the same frame? icmp_resp_to = Response To (This is the response to the request in this frame) How do I specify which request? Would you elaborate? --sk On 10/5/2012 8:22 AM, Martin Isaksson wrote:Hi Stuart! !icmp.resp_in and !icmp.resp_to There might be an easier way :) /M___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- finding a missing ICMP Echo Reply Stuart Kendrick (Oct 05)
- Re: finding a missing ICMP Echo Reply Martin Isaksson (Oct 05)
- Re: finding a missing ICMP Echo Reply Stuart Kendrick (Oct 05)
- Re: finding a missing ICMP Echo Reply Gerald Combs (Oct 05)
- Re: finding a missing ICMP Echo Reply Martin Isaksson (Oct 05)
- Re: finding a missing ICMP Echo Reply Stuart Kendrick (Oct 05)
- Re: finding a missing ICMP Echo Reply ronnie sahlberg (Oct 05)
- Re: finding a missing ICMP Echo Reply ronnie sahlberg (Oct 06)
- Re: finding a missing ICMP Echo Reply Stuart Kendrick (Oct 08)
- Re: finding a missing ICMP Echo Reply Stuart Kendrick (Oct 05)
- Re: finding a missing ICMP Echo Reply Martin Isaksson (Oct 05)