Wireshark-users: Re: [Wireshark-users] Filter UDP from IP in UDP transport
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 10 Jul 2007 12:32:35 -0700
Scott Sheppard wrote:


I have a dataset where IP is transported in UDP
For each packet in the wire shark pcap capture I need to strip the first 50 bytes.
I would like to then have a new file with just the IP packets free of the encapsulating UDP wrapper. 

I have been working with Filter Display but I am at a loss.
That's not the kind of filtering that display filters do. They don't filter out parts of packets - they filter out particular packets.
There's nothing in Wireshark to do what you want; you'd have to write your own program to do that. Wireshark's native file format is libpcap format, so you could use libpcap/WinPcap to read the packets. However, what you get from libpcap/WinPcap is the raw packet data, so you'd have to filter out the link-layer/IP/UDP headers out, leaving the encapsulated IP headers. (You'd want to write the file with a link-layer type of DLT_RAW.)
Alternatively, if the problem is that Wireshark only displays the encapsulated IP datagrams as raw data, you could write a dissector for IP-over-UDP, and configure it to dissect UDP packets to or from the appropriate UDP port number.