Home page logo

wireshark logo Wireshark mailing list archives

Re: About filter "udp && !icmp"
From: Guy Harris <guy () alum mit edu>
Date: Tue, 16 Apr 2013 15:37:33 -0700

On Apr 16, 2013, at 3:28 PM, delarge <charlie () linuxers cl> wrote:

I'm a new user of Wireshark and I'm capturing UDP traffic. Startly I used the "udp" filter but appears some 
undesirable ICMP packets, so then googling I've found the "udp && !icmp" filter to avoid capture ICMP packets. 

It's all right till here, but when I export the capture as plain text, the ICMP packets appear again. Seems like the 
filter just works in the main screen of Wireshark. What can I do to capture just UDP traffic? 

Use the filter "udp", and use it as a *capture* filter (when starting the capture with Capture -> Options) rather than 
as a *display* filter (in the main screen).

"udp && !icmp" is used as a *display* filter to handle the fact that some ICMP packets contain a partial or complete 
copy of the packet for which they're reporting a problem, so they might contain UDP packets.  For *capture* filters, 
only the outermost packet layer is tested, so "udp" matches only UDP packets, not ICMP packets that happen to contain a 
copy of a UDP packet.
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]