When ip.src gives you more than you expected with Wireshark

Many protocol analysts rely on filters to better see patterns and generally reduce the number of packets they need to sift through. One popular filter would be an IP filter. In Wireshark, when you are in the Packet List (top pane) and right click on an ip address you are creating a unidirectional filter to either, to or from that IP address. The difference would be if you right clicked on the source or destination column.

In this video I show you that there are scenarios where it may seem like your simple filter did not work when you see what looks like a bidirectional result. This is where your protocol knowledge needs to kick in.

I highlight ICMP in this example where the IP source address field (ip.src) is present in the IPV4 header. Unfortunately it is also present in the ICMP payload, which is normally helpful.

You can run into similar issues when running into DHCP and ARP for starters.

So the moral of the story is to don't assume the analyzer did something wrong or has a bug, Look into Packet Details (Middle Pane) and try to figure out if there is another field in the payload that meets your filtered criteria.

Enjoy