This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

A lot of folks use bittwiste, perl/python scripts, or maybe even the DLT_USER method to do something similar based on their goals, but to this point I haven't found an embedded method to process packets on the fly and wanted to know if others thought it was possible before I even tried. I have a scenario where I have a UDP packet that always uses a UDP src/dst port of say XXXX and the headers are always 42 bytes in length. Within the payload of the frame is the actual data frame to include headers, etc. I was thinking that it would be possible to write a dissector to filter on 'static int global_protocol_port = XXXX', strip off 42 bytes and handoff. However, the more I read into the process of how Wireshark dissects packets, I'm not sure this is even possible to do on the fly as packets are being received on the wire. Any thoughts on this are more than welcome and appreciated.

asked 10 Mar '14, 04:47

LonestarZ06's gravatar image

LonestarZ06
11112
accept rate: 0%

I'm not sure this is even possible to do on the fly as packets are being received on the wire.

do you need a continuous monitoring solution (running 24x7) that prints parts of your UDP payload as the frames fly by?

(10 Mar '14, 06:39) Kurt Knochner ♦

You should look into tap listeners, in this case for the udp_follow tap.

permanent link

answered 10 Mar '14, 05:50

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×10
×1

question asked: 10 Mar '14, 04:47

question was seen: 1,149 times

last updated: 10 Mar '14, 06:40

p​o​w​e​r​e​d by O​S​Q​A