When an ICMP error message is sent, the ICMP packet also includes the IP header and the first 8 bytes (64 bits) of the original datagram that caused the error.

We can use a field occurrence so that we can see the ID field of the first IP header along with the ID field of the nested IP header, so we can see whether the two are the same or different.

To compare the two, complete these steps to modify the column headers:

1. Go to any frame that has an ICMP packet that has an error. For example, use the icmp.type == 3 display filter to see all ICMP destination unreachable packets.
2. Drop down the main IP header and select the Identification field; right-click and then select Apply as Column. This will add the Identification column header.
3. Next, go into Column Preferences and then modify the settings for the newly created column header.
   • Displayed: Checked
   • Title: IP Main ICMP
   • Type: Custom (unchanged)
   • Fields: ip.id (unchanged)
   • Field Occurrence: 1
4. Drop down the nested IP header and select the Identification field; right-click and then select Apply as Column. This will add the Identification column header.
5. I selected the ID field in the nested ICMP packet, right-clicked, and then selected Apply as Column.
6. Then, go into Column Preferences and modify the settings for the newly created column header.
   • Displayed: Checked
   • Title: IP Main ICMP
   • Type: Custom (unchanged)
   • Fields: ip.id (unchanged)
   • Field Occurrence: 2

The result is shown in the following screenshot, where, right after the Protocol column header, you will see IP Main ICMP followed by IP Nested ICMP:

Now, you can see how versatile Wireshark is in modifying columns to adjust your view. Next, let's take a look at an overlooked feature in Wireshark, which is the ability to adjust the font and change the default colors.