Two things you should do. Switch .+ to it's non-greedy version(.+?). Second, If you know the variable length field will be terminated with TCP/UDP/ICMP/ERROR then create an alternation that states that in your regex to ensure that $5 doesn't suck up everthing till the end of the line:

/(TCP|UDP|ICMP|IP|ERROR)/
[download]

HTH