Capture filter expression

[Juanjo Martin Carrascosa <juanjo () rti com>]

Hi everyone,

In the RTPS protocol (IP -> UDP -> RTPS) the payload is identified with the
first 4 bytes of the UDP payload (it literally contains "RTPS").

The problem is that when RTPS packets are bigger than 1500 bytes, they are
formed by 2+ IP fragments where only the first one contains the RTPS magic
word.

That is why this capture filter:

"(udp[8] == 'R' && udp[9] == 'T'  && udp[10] == 'P' && udp[11] == 'S')

would not work, because this is true only for the first IP fragment. I have
tested and verified that other IP fragments (2nd and beyond) are not
captured.

1) Is there any way to configure Wireshark, pcap or ANYTHING to make it
reassemble the fragments first and then evaluate the capture filter?

2) Can you think of another way to write a capture filter to only capture
RTPS traffic?

Regards,
Juanjo Martin

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe