First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Display filter udp slice not working in udp payload

  • retag add tags

Using Wireshark 4.2.0, display filter udp[8]==8C produces no results in the example below. With version 3.6.1, the frame is displayed.

With 4.2.0 udp.payload[0]==8C and data.data[0]==8C work, but that makes complex filters way too long. Any slices for bytes 0 through 7 are good (UDP header). Did I miss the memo that udp[n] slicing into the UDP payload no longer works?

wireshark screenshot

gvaeth's avatar
1
gvaeth
asked 2023-11-18 04:25:17 +0000, updated 2023-11-18 04:31:26 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

I can reproduce this, also with version 4.0.x and automated build 4.3.0rc0-736-g47a4d7f48061. In Wireshark 3.6.18 it still worked. There has been some major work done on the Display filter engine in version 4.0 and 4.2, so it seems this is an overlooked use-case which has resulted in a bug.

Could you please add an issue to the Wireshark Issue Tracker for this bug?

SYN-bit's avatar
18.5k
SYN-bit
answered 2023-11-19 18:54:46 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks for confirming.

Issue added: UDP slice display filter fails on UDP payload

gvaeth's avatar gvaeth (2023-11-19 22:26:11 +0000) edit
more
  • delete

Thank you!

SYN-bit's avatar SYN-bit (2023-11-19 23:13:38 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer