Hi Stuart,
First I should say I am using Wureshark Version 1.8.2 (SVN Rev 44520 from /trunk-1.8).
I took an old capture file with ICMP pings, deleted one reply with frame.number != X and saved.
Then I used the filter below, and the only packet listed was the lone request.
icmp.resp_in seems only to be present in frames that Wireshark can find the response to.
The same for icmp.resp_to in the replies.
!(icmp.resp_in or icmp.resp_to) should be equivalent. The filter suggested by Gerald works for me as well, and I like it more than mine :)
Kind regards,
Martin
-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Gerald Combs
Sent: den 5 oktober 2012 12:03
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] finding a missing ICMP Echo Reply
Can you try "(icmp.type == 8) && !icmp.resp_in"? That should show any request without a matching response.
On 10/5/12 8:35 AM, Stuart Kendrick wrote:
> I'm stumbling on this.
>
> Filtering on icmp.resp_in shows me all the Requests Filtering on
> icmp.resp_to shows me all the Replies
>
> Filtering on !icmp.resp_in shows me everything Filtering on
> !icmp.resp_to shows me everything
>
> Filtering on "!icmp.resp_in and !icmp_resp_to" shows me everything
>
> Reading the description of these expressions ... I don't understand
> what they do:
>
> icmp_resp_in - Response In (the response to this request is in this frame)
> How can an ICMP Request and an ICMP Reply share the same frame?
> icmp_resp_to = Response To (This is the response to the request in
> this
> frame)
> How do I specify which request?
>
> Would you elaborate?
>
> --sk
>
> On 10/5/2012 8:22 AM, Martin Isaksson wrote:
>> Hi Stuart!
>>
>> !icmp.resp_in and !icmp.resp_to
>>
>> There might be an easier way :)
>>
>> /M
>>
>>
>
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe