This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Filter udp frame by bit instead of byte

0

We have built a custom dissector for udp, and would like to be able to filter on specific bits rather than bytes. Is this possible? I believe it may be a combination of frame slicing and bitmask and, but have been unsuccessful so far.

asked 19 Aug '14, 14:39

hls's gravatar image

hls
16225
accept rate: 100%


One Answer:

2

Yes, this is possible, but whether by design or mistake, it's certainly not always intuitive. As you mentioned, you would use a combination of frame slicing and bitmask operators.

For example, if you wanted to test if the least significant bit of the first UDP byte was set, you could use: udp[0] & 1

If you wanted to test if the least significant bit was set and the most significant bit was set, you could NOT use this though: udp[0] & 81

The reason you can't use that is because it will match packets where either the most signifcant bit is set or the least significant bit is set, but not necessarily packets where both bits are set. In order to test that both bits are set, the intuitive way would be to use something like follows, which unfortunately you can't do because Wireshark's display filter syntax apparently doesn't support this: (udp[0] & 81) == 81

Therefore, the way to accomplish this is to test each bit individually using something like so: (udp[0] & 80) && (udp[0] & 1)

And if you wanted to test if a bit is NOT set, then you can use the ! operator. For example, to test that the most significant bit is set and the least significant bit is not set, use: (udp[0] & 80) && !(udp[0] & 1)

This can be a pain to write if you have a lot of bits to test, but at least you can save your filter and avoid having to retype this every time. A display filter macro might also be useful here as well.

See also the Bit field operations section of the Wireshark filter syntax and reference page.

answered 26 Aug '14, 14:46

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

edited 27 Aug '14, 07:42

Thank you! This seems to be working, even though it could be a slight pain, it's better than nothing! Thanks again

(27 Aug '14, 17:00) hls