0

In Wireshark, if I want to write a filter which accepts only ICMP destination unreachable ( type 3 ) messages, the filter is icmp[0] == 3 .

How do I count the packet offset of 0 in this instance ?

EDIT

enter image description here

Based on the above image from Wikipedia, the ICMP type is under 0-7 bits. Therefore it is the first byte and therefore 0 ?

iridescent
  • 135
  • 8

2 Answers2

1

Your filter is correct, icmp[0] indeed matches the first byte of the ICMP header containing the type. However, I find it hard to read, you should use icmp.type eq 3 instead. This is also much easier when the field is longer than one byte.

Here is the display field reference for ICMP.

bytesinflight
  • 251
  • 4
  • 5
  • He might be trying to write a *capture* filter; [the syntax for them is more limited](http://www.tcpdump.org/manpages/pcap-filter.7.html). –  Feb 09 '14 at 20:01
  • Agree, didn't even consider that... my bad. I like the new syntax, nice answer! – bytesinflight Feb 09 '14 at 20:23
1

I assume you're trying to write a capture filter rather than a display filter; if you're trying to write a display filter, Martin Isaksson is correct, you should do icmp.type == 3.

Yes, 0 is the offset within the ICMP packet.

In newer versions of libpcap, the syntax supports some more convenient ways of writing the filter, namely icmp[icmptype] == icmp-unreach. WinPcap is based on a version of libpcap with that syntax, so it supports it as well.

It is arguably a bug that Wireshark doesn't let you say something similar, namely

icmp.type == "Destination unreachable"

in a display filter. I'll look at fixing that.