0

In Wireshark, when I follow a TCP or UDP stream using right click -> Follow -> UDP Stream, if there are some ICMP packets from same endpoints, wireshark will keep them in the stream. Why? Since ICMP is a different protocol from UDP/TCP, shouldn't it be filtered out? Is this a bug? If not, what is the reason to include non UDP packet in a UDP stream?

Improve this question
4
  • Please add more details to your question for anyone to answer it. Are you using the Analyze → Follow →TCP/UDP Stream option? Or trying to set up a capture or display filter?
    – Zac67
    Commented Feb 3 at 17:07
  • @Zac67 I updated the question.
    – Sourav Kannantha B
    Commented Feb 3 at 17:43
  • It's best to ask on the Wireshark Wiki. We can't speculate.
    – Ron Trunk
    Commented Feb 3 at 18:09
  • Has any answer solved your question? Then please accept it or your question will keep popping up here forever. Please also consider voting for useful answers.
    – Zac67
    Commented Mar 5 at 9:52

1 Answer 1

Reset to default
0

ICMP is IP's messaging system.

In addition to the well-known echo request/reply functions used with ping, it transmits various errors codes for occuring problems. The first 64 bits (8 octets) of the original payload (L3 SDU) are returned with the ICMP error message to enable the sending stack to identify the calling process and to generate a meaningful error message.

Wireshark's flow analysis includes ICMP messages between the relevant hosts to allow you access to those errors.

For details, see RFC 792.

Improve this answer
3
  • I understand ICMP protocol. But it is a transport layer protocol same like UDP. So if I follow an UDP protocol, shouldn't it only display UDP and not ICMP?
    – Sourav Kannantha B
    Commented Feb 4 at 7:04
  • 2
    That's up to the developers to decide. You could argue your case to them but I think they made it that way because they thought it would be useful or because they had requests to make it that way. I would assume that their philosophy is that it is relevant to the stream even if it is not the same protocol so they keep it in.
    – FrameHowitzer
    Commented Mar 5 at 0:39
  • 1
    @SouravKannanthaB ICMP doesn't belong to the transport layer. It's an integral part of the network layer, even though it is carried and encapsulated like L4.
    – Zac67
    Commented Mar 5 at 6:51

Not the answer you're looking for? Browse other questions tagged or ask your own question.