Capture only UDP traffic that cannot be identified as another protocol

1

I have applied the udp filter in order to just capture UDP traffic, as described in Wireshark Wiki:

Show only the UDP based traffic: udp

However, this does not only show UDP traffic. It shows UDP traffic and everything that builds on top of UDP.

Since I want to analyze our own UDP traffic only and I have not implemented a dissector yet, I am looking for a way to show only UDP traffic that cannot be identified as any other protocol.

I'd like to avoid adding a list of protocols to exclude, e.g. avoid the long list of other protocols in my filter:

udp && !http && !dhcpv6 && !bootp && !smb && !cldap && !mdns && !llmnr

How can I capture only UDP traffic that cannot be identified as another protocol?

Thomas Weller

Posted 2015-11-24T09:43:49.877

Reputation: 4 102

Why don't you filter the specific UDP port that you're using? – user1686 – 2015-11-24T09:58:04.877

@grawity: each of our devices uses a different port. It is possible to find out the ports once I find packet of our devices, but I'd like to avoid the extra step – Thomas Weller – 2015-11-24T10:02:33.463

Answers

1

First note that you're working with Wireshark's display filters, separate (and very different) from libpcap's capture filters. (libpcap itself has an udp filter, but it only understands very few protocols. So you'll be capturing everything, but filtering the displayed list.)

In Wireshark, the "Frame" section has various metadata about the dissected packet, for example:

Protocols in frame: eth:ethertype:ip:udp:dns

This corresponds to the frame.protocols field. Now apply a regex match using ~ or matches:

udp && frame.protocols ~ ":udp$"

This will match all packets where the last recognized protocol was UDP (i.e. frame.protocols ends with the text :udp). Be careful – some traffic might be mis-detected as some obscure protocol even though it isn't.

(The udp && prefix is an optimization – a protocol match might be more efficient for discarding non-UDP traffic than a string regex match.)

user1686

Posted 2015-11-24T09:43:49.877

Reputation: 283 655

1It seems I need frame.protocols ~ ":udp:data$" - maybe that is new in Wireshark 2.0 – Thomas Weller – 2015-11-24T10:08:29.580

Asked: 2015-11-24T09:43:49.877

Viewed: 843 times

Active: 2015-11-24T10:48:15.013