Menu
I need a capture filter for wireshark that will match two bytes in the UDP payload. I've seen filters with
UDP[8:4]
as matching criteria but there was no explanation of the syntax, and I can't find it in any wireshark wiki (needle in the haystack thing).
I need to only capture UDP 5361, and only packets that have the bytes 8C:61 as the third and fourth bytes in the payload. Something like
udp port 5361 and udp[2:2]=8C:61
But I'm guessing at this of course. Thanks for any help...
863
Stumbled on it:
udp port 5361 and udp[10:2]==0x8C61
UDP data field (payload) starts at offset 8, and I'm looking at payload bytes 3 and 4. The tip was in WireShark Wiki, after all.
164
It's an old question but it may get handy to someone else.
To access the first byte of the payload of an UDP packet I use
udp and data[3]==0x8c and data[4]==0x61
43
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
