Hello Benoit,
>>> "Benoit Lanteigne" <lanteib@xxxxxxxxxxx> 11/16/06 10:42 AM >>>
> Hi everyone,
>
> I am a new user of wireshark and I have a problem. I have a file
> containing 15 minutes of captured traffic. I am trying to use a
display
> filter to filter the source IP like this ip.src == 10.10.0.104. In
most
> case this works fine, but for some IP it does not. For instance, if
I
> use ip.src == 10.10.0.108 I would suppose that only packets with
> 10.10:.0.108 as source should be displayed but I also get packets
with
> source IP like 10.10.4.1 and 207.102.162.1.
>
> If anyone have an idea what is happening, please let me know. Thank
> you in advance.
Since the unexpected "Source" IP addresses you have
seen have ".1" as the rightmost IP address component,
and since ".1" addresses are often used in router
addresses, I'm guessing that you are seeing ICMP error
packets.
For example an ICMP error packet from a router will include
the beginning of the packet that triggered the error. Since
Wireshark knows that ICMP error packets contain the 1st
part of another packet it will attempt to dissect the ICMP
payload. Although the ICMP error packet originated from
one host (which is what you will see in the "Source" column,
the ICMP payload could contain a packet that originated
from the host you are filtering for. This would match your
filter in a subtle but very powerful way!
But this trace wouldn't by chance contain data with some
type of encapsulated payload?
If it's not an ICMP error, an expansion the ethernet frame
will show you if you have some sort of tunneling going on
(look at the [Protocols in frame: eth:...] entry in the packet
details view).
You will see similar non-obvious matching behavior if your
traces have packets from the various tunneling protocols
such as GRE (Generic Router Encapsulation).
I hope this helps,
Jim Young
