Reputation: 45
Convert Wireshark Filter Expression to BPF
So I am trying to make a program that parses certain udp packets on my network. To do this I use Sharppcap and C#. I have this filter expression and it works flawlessly in wireshark: udp and frame.protocols==eth:ethertype:ip:udp:data.
However, when I try to implement this in my C# Application I get an Exception because the filter Expression is not BPF-Valid (I think).
Does anyone have an idea what the correct syntax would achieve the same thing in BPF?
Upvotes: 3
Views: 1721
Answers (1)
Reputation: 24460
Seems like you are mixing Capture Filters and Display Filters. The udp part of your filter seems to be a Capture Filter, while the rest is a Display Filter. The display filter just hides some results in Wireshark, while the Capture Filter, actually cuts away packages that do not match the filter. Refer to the pcap filter documentation on how to construct a filter: https://www.tcpdump.org/manpages/pcap-filter.7.html
So your pcap filter in your case is essentially udp, you are interested in UDP packages only.
The Display Filter part is up to you to do in your code when you inspect the packages.
Upvotes: 4
Related Questions
- Multiple protocol filtering on Wireshark
- How to use filters in the wireshark?
- Write packet filtering program in ebpf
- BPF filter source address == transmission address
- Advanced filtering in wireshark
- Convert wireshark filter notation to tshark filter notation
- Wireshark capture filters
- BPF Filter TCP Connections
- Deconstructing BPF filter in TCPdump
- Wireshark filter syntax