With wireshark how can I filter by packet size?
22,498
Solution 1
As you said in your comment:
greater <length>
less <length>
They also happen to be in this handy tcpdump cheat sheet I have on my wall.
Solution 2
Wireshark uses the same capture filter syntax as tcpdump, and it doesn't look like that's an option
Related videos on Youtube
12 : 13
Top 10 Wireshark Filters // Filtering with Wireshark
10 : 38
Learn Wireshark in 10 minutes - Wireshark Tutorial for Beginners
12 : 49
How to Filter Traffic // Intro to Wireshark Tutorial // Lesson 5
02 : 08
WireShark - Packet Length Statistics
01 : 39
DevOps & SysAdmins: With wireshark how can I filter by packet size? (2 Solutions!!)
Author by
paxos1977
Former Network Security geek (working as a developer these days). CheckPoint & Cisco Firewall and VPN administration experience. Some Windows Administration experience with Server 2003. Tinkering on XP, Vista, Server 2008. OpenBSD fanatic Also likes FreeBSD, MacOSX, and Linux.
Updated on September 17, 2022Comments
-
paxos1977 over 1 year
I can filter for packet lengths using a display filter containing data.len >= XXX, but I'd really like to use a capture filter for this for efficiency... is there a way to do it?
-
Denys about 14 yearsKyle's answer is correct. If you ever do need to use the display filter again, frame.len would be a better choice. "frame" is guaranteed to match every packet. The "data" dissector is usually only called as a last resort, and may not match very many packets.
-
paxos1977 about 14 yearscool, thanks for the info. I'll use frame.len from now on.
-
-
paxos1977 about 14 years+1 for the link to the documentation... but you missed the "greater" option. Apparently, there is also a "len" option.
-
mfinni about 14 yearsWow, yup. You're entirely correct- I was reading it looking for "size" and totally missed "len." Lame :-)
