Scott Sheppard wrote:
I have a dataset where IP is transported in UDP
For each packet in the wire shark pcap capture I need to strip the first
50 bytes.
I would like to then have a new file with just the IP packets free of
the encapsulating UDP wrapper.
I have been working with Filter Display but I am at a loss.
That's not the kind of filtering that display filters do. They don't
filter out parts of packets - they filter out particular packets.
There's nothing in Wireshark to do what you want; you'd have to write
your own program to do that. Wireshark's native file format is libpcap
format, so you could use libpcap/WinPcap to read the packets. However,
what you get from libpcap/WinPcap is the raw packet data, so you'd have
to filter out the link-layer/IP/UDP headers out, leaving the
encapsulated IP headers. (You'd want to write the file with a
link-layer type of DLT_RAW.)
Alternatively, if the problem is that Wireshark only displays the
encapsulated IP datagrams as raw data, you could write a dissector for
IP-over-UDP, and configure it to dissect UDP packets to or from the
appropriate UDP port number.