Exported PDU protocol
This protocol is used by Wireshark to store PDUs (Protocol Dissection Units) and a minimum amount of protocol metadata.
The exported PDUs carry only the payload data of their respective packets; lower layers are stripped off. Some essential information from these lower layers may be stored as key-value pairs in a metadata header.
When written to pcap or pcapng files, this protocol is indicated by using DLT 252. This value does not appear on the TCP link-layer header types page.
Format
Information taken from epan/exported_pdu.h
Metadata
The layout of Exported PDU metadata is very similar to that of PcapNG options blocks:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Option Code | Option Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/ Option Value /
/ variable length, aligned to 32 bits /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/ /
/ . . . other options . . . /
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Option Code == opt_endofopt | Option Length == 0 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+There are option codes for:
- Total length of all options (excluding itself)
- the ASCII name of the registered dissector Wireshark should use to decode the payload to follow (eg
sip) - the ASCII name of the registered heuristic dissector Wireshark should use to decode the payload to follow (eg
sip_udp) - the ASCII name of the registered dissector table Wireshark should use to decode the payload to follow (eg
gsm_map.v3.arg.opcode) ** Only one of the preceding three tags may be specified; if there are more, only the first is used - IPv4 or IPv6 source and destination addresses
- Port type (eg, UDP or TCP)
- A structure describing how much payload data there is
- ... and several others
Payload
Following the metadata, the raw payload of the specified protocol layer is given as a simple byte sequence.
History
This protocol was first added to wireshark in 2013, to provide and implement the File → Export PDUs to File... menu option.
Later that same year it was used as a mechanism for exporting decrypted PDUs of SSL/DTLS, IPsec, and DVB-CI/CI+ SAC data. Other data types were added in subsequent years, including Logcat.
Androiddump was added as an extcap interface to Wireshark in 2015. Exported PDU was used as one way to receive this data.
Protocol dependencies
This protocol has no dependencies.
Example traffic
See Example capture file below.
Wireshark
Wireshark uses this format in the following contexts:
- capturing data using udpdump or androiddump
- presenting the contents of a 3GPP 32.423 nettrace XML trace file
- exporting PDUs via the File → Export PDUs to File... menu option
- exporting decrypted SSL/DTLS and IPsec PDUs
Preference Settings
This protocol has no preferences.
Example capture file
http_pdus.pcapng - generated by loading http.cap from the SampleCaptures page in Wireshark, then selecting File → Export PDUs to File..., and choosing OSI Layer 4 from the dropdown.
Display Filter
A complete list of exported_pdu display filter fields can be found in the display filter reference
Capture Filter
There is no capture filter for this protocol.