Scott Sheppard wrote: > I have a dataset where IP is transported in UDP > > For each packet in the wire shark pcap capture I need to strip the first > 50 bytes. > > I would like to then have a new file with just the IP packets free of > the encapsulating UDP wrapper. > > I have been working with Filter Display but I am at a loss.
That's not the kind of filtering that display filters do. They don't filter out parts of packets - they filter out particular packets. There's nothing in Wireshark to do what you want; you'd have to write your own program to do that. Wireshark's native file format is libpcap format, so you could use libpcap/WinPcap to read the packets. However, what you get from libpcap/WinPcap is the raw packet data, so you'd have to filter out the link-layer/IP/UDP headers out, leaving the encapsulated IP headers. (You'd want to write the file with a link-layer type of DLT_RAW.) Alternatively, if the problem is that Wireshark only displays the encapsulated IP datagrams as raw data, you could write a dissector for IP-over-UDP, and configure it to dissect UDP packets to or from the appropriate UDP port number. _______________________________________________ Wireshark-users mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-users
