Ask Your Question

# Revision history [back]

### What is the udp.length display filter actually for?

I have Wireshark 2.2.6 on a Xubuntu 16.04 LTS (VirtualBox installation). I want to create a display fitler that shows only UDP datagrams that contain the letter k, have a length 4 and come from a specific IP and port.

So far I have come up with:

ip.addr==192.168.10.1 and udp.port==47555 and (udp contains "k") and udp.length==4


But it doesn't seem to work. The Length column gives me 60, while the Info columns tells be that Len=4. From what I understand the first is what is returned by frame.len and represents the size of the whole frame while the second is limited only to the size of the data. I tried using each of these numbers in the expression above (just to make sure) but all I get is a single datagram with the Time *REF*. All the other datagrams are hidden by my filter even though (at least from my perspective) these should be visible.

The reason why I want to use udp.length is that it seems that contains is not limited only to the data segment but also covers the whole frame so leaving it as the only (beside the IP address and port) criterion returns unwanted results. Using frame.len is not an option since I have frames with the exact same length as the ones I'm interested in but contain k outside the data segment.