Wireshark-users: Re: [Wireshark-users] Filtering ICMP Packets Based on IP Addresses in the ICMP P
From: Merton Campbell Crockett <m.c.crockett@xxxxxxxxxxxxxx>
Date: Sat, 30 May 2009 13:51:43 -0700

On 30 May 2009, at 12:17:54, j.snelders@xxxxxxxxxx wrote:

Does this display filter help you:
(icmp.type == 3) || (icmp.type == 4)

ICMP Destination Unreachable: type = 3
Source Quench: Type = 4

Not really. Perhaps, it might be better for me to explain the problem that is occurring and how I collected the network traffic.

First, the network traffic was collected using a Cisco Network Analyzer Module (NAM) at the switch port connecting to the server. I collected 1 GB of "raw" traffic data. By "raw", I mean that there were absolutely no filters defined as I wanted to capture all packets that traversed the network segment, i.e. I wanted to capture any "broadcast storms" that might impact the operation of the server along with any network traffic that was erroneously being routed/switched to the segment.

Microsoft's Office Communicator 2005 and Live Communications Server 2005 are used to provide an instant messaging capability on our corporate network. User's have complained that while IM'ing another user that they will receive an error message stating that the message that they just sent could not be delivered to one or more recipients. Also, they report that a user in their contact list will suddenly change from online to offline.

Management has gotten Microsoft involved in the problem. I have not been impressed with the technicians that have been involved in the problem. It was like pulling teeth to get them to explain how "presence" was determined. They keep saying that it is a network problem while not being able to explain how the network and the Windows TCP/IP stack impacts the application.

At any rate, we have determined that the "online" to "offline" state transition is being triggered by a TCP reset. In some instances, there is an automatic reconnection occurring almost immediately. In others, the user has to stop and start Office Communicator to restore use.

I'm trying to determine what is triggering the TCP reset. Also, I'm trying to determine under what conditions will the connection be automatically restored.

Basically, I use a "tcp.flags.reset eq 1" filter to find Office Communicator clients of interest. I then use the "icmp or ip.addr eq wh.at.ev.er" filter to find all events associated with the client. Unfortunately this includes all ICMP packets regardless of where they originated hence my original question.



On Sat, 30 May 2009 10:47:39 -0700 Merton Campbell Crockett wrote:
On 30 May 2009, at 09:54:50, Stephen Fisher wrote:

On Sat, May 30, 2009 at 09:24:22AM -0700, Merton Campbell Crockett
wrote:

In addition to looking at traffic to or from specific clients, I want to look at any ICMP traffic that involves the specific client. I've
used the following filter expression.

	icmp or ip.addr eq 10.10.208.211

Unfortunately, this filter includes all ICMP traffic instead of just
the ICMP traffic that is related to 10.10.208.211.

Try "icmp and ip.addr eq 10.10.208.211" to find packets to/from that

IP
that are ICMP -and- packets that have ICMP packets containing traffic
to/from that IP in the ICMP payload.

Wouldn't the "icmp and ip.addr eq 10.10.208.211" expression result in
only ICMP packets originating from or destined to 10.10.208.211 being
displayed?

All that I would expect to be displayed given the above expression are

ICMP Source Quench and ICMP Port Unreachable packets sent by the
client or the server.

What I'm really interested in seeing is how the server or client
behaves when a network device in the path between them interjects an
ICMP packet.  The problem that is being investigated only occurs with
clients that connect to the server over a WAN.  Clients connecting to
the server over a LAN do not experience the problem.

I can exclude network devices that wouldn't be in the path between the

client and the server by appending an expression similar to the
following to my original expression.

	and !(ip.addr eq 10.73.2.2 or ip.addr eq 10.10.1.3)

Doing this, however, hides problems that might have been triggered by
a routing flap.

Thanks, I guess I didn't miss something in the Wireshark
documentation.  :-(


Merton Campbell Crockett
m.c.crockett@xxxxxxxxxxxxxx




___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx >
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

Merton Campbell Crockett
m.c.crockett@xxxxxxxxxxxxxx