We have built a custom dissector for udp, and would like to be able to filter on specific bits rather than bytes. Is this possible? I believe it may be a combination of frame slicing and bitmask and, but have been unsuccessful so far.
asked 19 Aug '14, 14:39
Yes, this is possible, but whether by design or mistake, it's certainly not always intuitive. As you mentioned, you would use a combination of frame slicing and bitmask operators.
For example, if you wanted to test if the least significant bit of the first UDP byte was set, you could use:
If you wanted to test if the least significant bit was set and the most significant bit was set, you could NOT use this though:
The reason you can't use that is because it will match packets where either the most signifcant bit is set or the least significant bit is set, but not necessarily packets where both bits are set. In order to test that both bits are set, the intuitive way would be to use something like follows, which unfortunately you can't do because Wireshark's display filter syntax apparently doesn't support this:
Therefore, the way to accomplish this is to test each bit individually using something like so:
And if you wanted to test if a bit is NOT set, then you can use the
This can be a pain to write if you have a lot of bits to test, but at least you can save your filter and avoid having to retype this every time. A display filter macro might also be useful here as well.
See also the Bit field operations section of the Wireshark filter syntax and reference page.
answered 26 Aug '14, 14:46
edited 27 Aug '14, 07:42