On May 13, 2008, at 12:16 PM, vijaya n wrote:
I am not that familiar with the filters of wireshark while capturing
and displaying.
I went through the filters section of the documents page. All the
filters mentioned in the help sections are present for selective
acceptance of the packet based on filters and doing a selective
display. Once the packet successfully goes through the filter, the
entire packet with all the headers are stored in the capture file.
Yes. That's what the filters are intended to do.
My requirement is once the packet clears the filter [ say ip =
11:22:33:44 ],can wireshark rip all the protocol headers and store
only the payload/data part of an udp packet while storing it to a
file?
I donot want wire shark to store the entire packets. I want it to
capture in a file only the data part of a udp packet. Is this doable
through the filters and dissectors part of wireshark or tcpdump?
No. That is not what the filters are intended to do.
You could try using the "Follow UDP Stream" mechanism and saving the
result. That will just concatenate the UDP packet payloads, with no
separation between them, so you will lose UDP packet boundaries if you
do this!
There is no provision in libpcap format for a capture that has UDP
packets, each one of which is in a separate record, with time stamps.
