# What is the udp.length display filter actually for?

I have Wireshark 2.2.6 on a Xubuntu 16.04 LTS (VirtualBox installation). I want to create a display fitler that shows only UDP datagrams that contain the letter k, have a length 4 and come from a specific IP and port.

So far I have come up with:

ip.addr==192.168.10.1 and udp.port==47555 and (udp contains "k") and udp.length==4


But it doesn't seem to work. The Length column gives me 60, while the Info columns tells be that Len=4. From what I understand the first is what is returned by frame.len and represents the size of the whole frame while the second is limited only to the size of the data. I tried using each of these numbers in the expression above (just to make sure) but all I get is a single datagram with the Time *REF*. All the other datagrams are hidden by my filter even though (at least from my perspective) these should be visible.

The reason why I want to use udp.length is that it seems that contains is not limited only to the data segment but also covers the whole frame so leaving it as the only (beside the IP address and port) criterion returns unwanted results. Using frame.len is not an option since I have frames with the exact same length as the ones I'm interested in but contain k outside the data segment.

edit retag close merge delete

Sort by » oldest newest most voted

If you refer to RFC 768, you will see that the UDP Length field is defined as follows:

Length  is the length  in octets  of this user datagram  including  this
header  and the data.   (This  means  the minimum value of the length is
eight.)


The length displayed in the Info column is the UDP payload length, which is 8 bytes less than the value of the udp.length field. If you only want to match UDP packets with a payload length of 4, you will have to append, and udp.length==12.

That aside, maybe give the following filter a try instead. If it works for you, then you don't have to worry about the UDP length field at all, unless you really do only want to match UDP packets of a very specific size.

ip.addr==192.168.10.1 and udp.port==47555 and (data contains "k")

more

1

@cmaynard, I'm afraid a data field exists only if no "better" dissector could be used. So that condition will only work for udp packets whose payload is not dissected.

So I would replace data by udp[8:4] which works regardless whether the udp payload is dissected or not.

( 2018-01-08 19:00:22 +0000 )edit
1

That's true, but I based my answer on the fact that @rbaleksandar indicated that "the Info columns tells be that Len=4." If another protocol had performed further dissection, then in all likelihood the Info column would have been replaced with other information and you wouldn't see the "Len=4" indication. Of course that doesn't necessarily have to be the case, so it's a good point to consider.

However replacing data with udp[8:4] isn't necessarily a replacement solution either if the "k" could occur in UDP packets with other lengths too and at offsets past the first 4 octets. But perhaps for this use case it would be sufficient. EDIT: Of course if the offset of "k" is known and is a fixed value, then there's no need to use contains; just use something like udp[8] eq "k" instead, replacing 8 ...(more)

( 2018-01-08 19:10:16 +0000 )edit