It's an interesting argument. I wouldn't expect the payload of an ICMP
packet to matter. UDP is usually encapsulated in an IP datagram,
therefore I wouldn't expect the parser to "see" the UDP inside of an
ICMP message and decode it as such.
But I guess I can't fault the other rationale, either. :)
LEGO wrote:
The rationale is pretty straightforward there's udp in the frame so it
matches "udp".
What you might want to do is filter with "udp and not icmp".
On Sun, 20 Mar 2005 12:14:27 -0800, Bob Snyder <bob.snyder@xxxxxxx> wrote:
Why are ICMP packets displayed when a display filter is used that should
exclude them?
For example, when running a traceroute, and with a display filter of
"udp", in addition to the outbound UDP datagrams, the ICMP messages
returned from each router are displayed as well. I know that the ICMP
datagrams include the headers of the datagrams that are being reported
on, but apparently their presence allows them to pass through the
display filter. Is this behavior intentional? If so, what is the rationale?
Bob Snyder
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users
|