set a filter of packet length in wireshark
67,602
All these work on Wireshark's filter
frame.len==243 <- I use this
ip.len==229
udp.length==209
data.len==201
Comments
-
Daniel YC Lin over 3 years
I've capture a pcap file and display it on wireshark. I want to analysis those udp packets with 'Length' column equals to 443.
On wireshark, I try to found what's the proper filter.
udp && length 443 # invalid usage udp && eth.len == 443 # wrong result udp && ip.len == 443 # wrong result
By the way, could the wireshark's filter directly apply on libpcap's filter?
-
Admin about 12 yearsThe first of those is what should be used to filter on the Length column.
-
Nick T about 6 yearsAnd the different lengths included are indicative of the nested protocols, e.g. IPv4 headers are usually 20 B (
ip.len - udp.length
). -
MrMas about 2 yearsAlso of more general use is
len(<some field>) == <expected number of bytes>