Ask Your Question
0

Display filter udp slice not working in udp payload

asked 2023-11-18 04:25:17 +0000

gvaeth gravatar image

updated 2023-11-18 04:31:26 +0000

Using Wireshark 4.2.0, display filter udp[8]==8C produces no results in the example below. With version 3.6.1, the frame is displayed.

With 4.2.0 udp.payload[0]==8C and data.data[0]==8C work, but that makes complex filters way too long. Any slices for bytes 0 through 7 are good (UDP header). Did I miss the memo that udp[n] slicing into the UDP payload no longer works?

wireshark screenshot

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2023-11-19 18:54:46 +0000

SYN-bit gravatar image

I can reproduce this, also with version 4.0.x and automated build 4.3.0rc0-736-g47a4d7f48061. In Wireshark 3.6.18 it still worked. There has been some major work done on the Display filter engine in version 4.0 and 4.2, so it seems this is an overlooked use-case which has resulted in a bug.

Could you please add an issue to the Wireshark Issue Tracker for this bug?

edit flag offensive delete link more

Comments

Thanks for confirming.

Issue added: UDP slice display filter fails on UDP payload

gvaeth gravatar imagegvaeth ( 2023-11-19 22:26:11 +0000 )edit

Thank you!

SYN-bit gravatar imageSYN-bit ( 2023-11-19 23:13:38 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2023-11-18 04:25:17 +0000

Seen: 220 times

Last updated: Nov 19 '23