wireshark capture filter for specific UDP bytes - udp

I need a capture filter for wireshark that will match two bytes in the UDP payload. I've seen filters with
UDP[8:4]
as matching criteria but there was no explanation of the syntax, and I can't find it in any wireshark wiki (needle in the haystack thing).
I need to only capture UDP 5361, and only packets that have the bytes 8C:61 as the third and fourth bytes in the payload. Something like
udp port 5361 and udp[2:2]=8C:61
But I'm guessing at this of course. Thanks for any help...

Stumbled on it:
udp port 5361 and udp[10:2]==0x8C61
UDP data field (payload) starts at offset 8, and I'm looking at payload bytes 3 and 4. The tip was in WireShark Wiki, after all.

Related

Is 576 bytes the safe size for UDP payload to eliminate fragmentation?

The safe size of a datagram packet (considering the MTU such that packet will not get fragmented) is said to be 576 bytes for IPV4 and 1500 for IPV6.
Is this correct ?
If i am having a connection from my machine to a server in another country, two of which communicate using UDP, what is the maximum (safest) payload size i should have for the UDP packet, 1500 or 576 ?
Thank you
No. That's the safe size of the total IP packet.
534.
I found the real IP address in my local network. Then, I used recommendations at "www dot asus dot com/support/FAQ/1007914" in order to "check the best value of MTU(Maximum Transmission Unit) for the internet".

Recvfrom() return value

Im using UDP packets and I want to be cleared about some points :
1 - what exactly does "recvfrom" Returns ? I mean if i send a packet with size of 450 byte + 20 byte of IP header + 8 byte UDP header does recvfrom returns 478 bytes as a whole or there could be something like :
it received 10 bytes,300 bytes,100 bytes,68 bytes ?
2 - does the return value of "recvfrom" related to packet fragmentation ?
note :
* Im talking with the assumption that "recvfrom" was successful
* I chose 450 byte to be sure that Im less than the min MTU
For an UDP socket, recvfrom() reads the UDP data. So it returns 450 , provided you supply a buffer that is at least 450 bytes big.
If you supply a buffer that is smaller than the received data, the data will be truncated, and recvfrom() will read as much data as can fit in the buffer you give it.
The IP layer will be the part that fragments an UDP packet, on the receiving host it will reassemble it. This is transparent to the sending/receiving application.

Confused about the header size for a Ethernet frame

I was researching a few things about VLANs and came across the VLAN tag and also the headers.
If we have a MTU for a standard 802.3 Ethernet frame (1518 bytes) what is included in the header 802.3?
Also how do we calculate the header length for that?
What is the difference between 802.3 and 802.1q? I know that the VLAN tag requires extra bytes but how to calculate how many bytes needed to the 802.1q VLAN tag?
Thanks in advance
A regular 802.3/Eth-II ethernet frame doesn't carry VLAN info.
802.1Q can carry VLAN (and QoS) info over to the receiving end.
If the ethertype is 0x8100 then you got yourself an 802.1Q tag which is another 4 bytes in addition to the 14 bytes (dmac+smac+type).
See wikipedia for reference. http://en.wikipedia.org/wiki/Ethernet_frame
EDIT:
Regular Eth-II/802.3 has a total length of:
dmac(6)+smac(6)+etype(2)+payload(1500)+crc(4) = 1518 bytes
For the case of Eth-II/802.3 with 802.1Q tagging:
dmac(6)+smac(6)+8100(2)+vlan/Qos(2)+etype(2)+payload(1500)+crc(4) = 1522 bytes

Telnet reader will split input after 1448 characters

I am writing a java applet that will print what a telnet client sends to the connection. Unfortunately, the client splits at 1448 characters.
The code that is proving to be a problem:
char[] l = new char[5000];
Reader r = new BufferedReader(new InputStreamReader(s.getInputStream(), "US-ASCII"));
int i = r.read(line);
I cannot change the source of what the telnet client reads from, so I am hoping it is an issue with the above three lines.
You're expecting to get telnet protocol data units from the TCP layer. It just doesn't work that way. You can only extract telnet protocol data units from the code that implements the telnet protocol. The segmentation of bytes of data at the TCP layer is arbitrary and it's the responsibility of higher layers to reconstruct the protocol data units.
The behavior you are seeing is normal, and unless you're diagnosing a performance issue, you should completely ignore the way the data is split at the TCP level.
The reason you're only getting 1448 bytes at a time is that the underlying protocols divide the transmission into packets. Frequently, this size is around 1500, and there are some bytes used for bookkeeping, so you're left with a chunk of 1448 bytes. The protocols don't guarantee that if you send X bytes in a 'single shot', that the client will receive X bytes in a single shot (e.g. a single call to the receive method).
As has been noted already in the comments above, its up to the receiving program to re-assemble these packets in a way that is meaningful to the client. In generally, you perform receives and append the data you receive to some buffer until you find an agreed-upon 'end of the block of data' marker (such as an end-of-line, new-line, carriage return, some symbol that won't appear in the data, etc.).
If the server is genuinely a telnet server--its output might be line-based (e.g. a single block of data is terminated with a 'end of line': carriage return and linefeed characters). RFC 854 may be helpful--it details the Telnet protocol as originally specified.

read specific size of data from boost asio udp socket

I want to read specific number of bytes from udp socket. In tcp socket I can use socket.read where I can specify the amount of data to receive. I don't find similar function for UDP socket. I am using receive_from() where I can specify the amount of data to read, but if there is more data then no data is read and I get following error.
"A message sent on a datagram socket was larger than the internal message buffer or some other network limit, or the buffer used to receive a datagram into was smaller than the datagram itself" std::basic_string<char,std::char_traits<char>,std::allocator<char> >
I am not able to find what value do I need to give for message_flags (3rd arg to receive_from) so that it will read the number of bytes specified. Currenly I am using the following code to read data but it either reads all data or no data.
size_t size=socket.receive_from(boost::asio::buffer((const void*)&discRsp,sizeof(DataStructure)),remote_endpoint,0,errors);
Try this:
socket.set_option(boost::asio::socket_base::receive_buffer_size(65536));