set a filter of packet length in wireshark

37
votes

I've capture a pcap file and display it on wireshark. I want to analysis those udp packets with 'Length' column equals to 443.

On wireshark, I try to found what's the proper filter.

udp && length 443 # invalid usage
udp && eth.len == 443 # wrong result
udp && ip.len == 443 # wrong result

By the way, could the wireshark's filter directly apply on libpcap's filter?

1
wiresharkpcaplibpcap
How about using simply udp.length==443?Anonymous
In answer to "the wireshark's filter can directly apply on libpcap's filter?", the answer is "no" - Wireshark display filters and libpcap capture filters are processed by different code and have different syntaxes and capabilities (Wireshark display filters are much more powerful than libpcap filters, but Wireshark is bigger and does a LOT more work to support that).user862787

1 Answers

69
votes

All these work on Wireshark's filter

frame.len==243  <- I use this
ip.len==229
udp.length==209
data.len==201