Wireshark-users: Re: [Wireshark-users] finding a missing ICMP Echo Reply
From: Gerald Combs <gerald@xxxxxxxxxxxxx>
Date: Fri, 05 Oct 2012 09:03:22 -0700
Can you try "(icmp.type == 8) && !icmp.resp_in"? That should show any
request without a matching response.

On 10/5/12 8:35 AM, Stuart Kendrick wrote:
> I'm stumbling on this.
> 
> Filtering on icmp.resp_in shows me all the Requests
> Filtering on icmp.resp_to shows me all the Replies
> 
> Filtering on !icmp.resp_in shows me everything
> Filtering on !icmp.resp_to shows me everything
> 
> Filtering on "!icmp.resp_in and !icmp_resp_to" shows me everything
> 
> Reading the description of these expressions ... I don't understand what
> they do:
> 
> icmp_resp_in - Response In (the response to this request is in this frame)
>     How can an ICMP Request and an ICMP Reply share the same frame?
> icmp_resp_to = Response To (This is the response to the request in this
> frame)
>     How do I specify which request?
> 
> Would you elaborate?
> 
> --sk
> 
> On 10/5/2012 8:22 AM, Martin Isaksson wrote:
>> Hi Stuart!
>>
>> !icmp.resp_in and !icmp.resp_to
>>
>> There might be an easier way :)
>>
>> /M
>>
>>
> 
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>            
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe