I want to create a Wireshark filter which displays all packets which are
I have tried to use the following filter:
dtls || (udp.port >= 1234 && upd.port <= 1250)
Wireshark however shows all kind of packets, e.g. DNS packets from port 52795 to 53, which is completely out of range for the UDP filter part and is not a DTLS packet.
What am I missing, what's the correct filter expression?
This is a common mistake. udp.port can be thought of as a sort of macro for udp.srcport or udp.dstport, meaning that as long as either one is larger than 1234 or either one is less than 1250, the filter, as written, will match the packet. I think what you want is:
dtls || ((udp.srcport >= 1234 && udp.srcport <= 1250) || (udp.dstport >= 1234 && udp.dstport <= 1250))
You might want to create a Wireshark Display Filter Macro to help simplify that expression. For example, suppose you created the following macro:
((udp.srcport >= $1 and udp.srcport <= $2) or (udp.dstport >= $1 and udp.dstport <= $2))
Then you could apply this filter:
dtls || ${udp_portrange:1234;1250}
