Wireshark-users: [Wireshark-users] Capture filter expression

From: Juanjo Martin Carrascosa <juanjo@xxxxxxx>
Date: Wed, 12 Sep 2018 12:06:14 +0200
Hi everyone,

In the RTPS protocol (IP -> UDP -> RTPS) the payload is identified with the first 4 bytes of the UDP payload (it literally contains "RTPS"). 

The problem is that when RTPS packets are bigger than 1500 bytes, they are formed by 2+ IP fragments where only the first one contains the RTPS magic word.

That is why this capture filter:

"(udp[8] == 'R' && udp[9] == 'T'  && udp[10] == 'P' && udp[11] == 'S')

would not work, because this is true only for the first IP fragment. I have tested and verified that other IP fragments (2nd and beyond) are not captured.

1) Is there any way to configure Wireshark, pcap or ANYTHING to make it reassemble the fragments first and then evaluate the capture filter?

2) Can you think of another way to write a capture filter to only capture RTPS traffic?

Regards,
Juanjo Martin