Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2018-01-08 18:29:00 +0000

cmaynard gravatar image

If you refer to RFC 768, you will see that the UDP Length field is defined as follows:

Length  is the length  in octets  of this user datagram  including  this
header  and the data.   (This  means  the minimum value of the length is
eight.)

The length displayed in the Info column is the UDP payload length, which is 8 bytes less than the value of the udp.length field. If you only want to match UDP packets with a payload length of 4, you will have to append, and udp.length==12.

That aside, maybe give the following filter a try instead. If it works for you, then you don't have to worry about the UDP length field at all, unless you really do only want to match UDP packets of a very specific size.

ip.addr==192.168.10.1 and udp.port==47555 and (data contains "k")