set a filter of packet length in wireshark

wireshark pcap libpcap
Daniel YC Lin picture Daniel YC Lin · Apr 5, 2012 · Viewed 54.3k times · Source

I've capture a pcap file and display it on wireshark. I want to analysis those udp packets with 'Length' column equals to 443.

On wireshark, I try to found what's the proper filter.

udp && length 443 # invalid usage
udp && eth.len == 443 # wrong result
udp && ip.len == 443 # wrong result

By the way, could the wireshark's filter directly apply on libpcap's filter?

Answer

Daniel YC Lin picture Daniel YC Lin · Apr 5, 2012

All these work on Wireshark's filter

frame.len==243  <- I use this
ip.len==229
udp.length==209
data.len==201

Related questions

Easiest way to convert pcap to JSON

I have a bunch of pcap files, created with tcpdump. I would like to store these in a database, for easier querying, indexing etc. I thought mongodb might be a good choice, because storing a packet the way Wireshark/TShark …

Read More
time difference between two packets in wireshark

I want to calculate the time difference between the time from sending the packet, to getting its ACK back. I do not see any timestamp related information in the packet, could anyone give me any pointers as to how I …

Read More
How to filter MAC addresses using tcpdump?

I am running tcpdump on DD-WRT routers in order to capture uplink data from mobile phones. I would like to listen only to some mac addresses. To do this I tried to run the command using a syntax similar to …

Read More