ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
July 17th, 2024 | 10:00am-11:55am SGT (UTC+8) | Online
Wireshark logo

Wireshark-users: Re: [Wireshark-users] 300 multiple choices dissection

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Pascal Quantin <pascal.quantin@xxxxxxxxx>
Date: Wed, 11 Sep 2013 08:42:33 +0200
2013/9/11 Manolis Katsidoniotis <manoska@xxxxxxxxx>

Hello folks

I have the following message traced from wireshark in which the contact header is dissected as in the attachment.

SIP/2.0 300 Multiple Choices
Contact: <sip:1190000107@xxxxxxxxxxx?P-Asserted-Identity=sip:+11900000107%40sr.icst.com>;q=1,<sip:555555555@xxxxxxxxxxx?P-Asserted-Identity=sip:+155555555%40sr.icst.com>;q=2
Call-ID: 00000062-00000F4C-0016D9BD-7@2001:1234:5678:2807::77
CSeq: 1 INVITE
From: <sip:+11100000066@xxxxxxxx>;tag=3916.1497565.14
To: <sip:911@xxxxxxxx>;tag=1828.607964187.596
Via: SIP/2.0/UDP icsthp1fee11.icst.com:6088;branch=z9hG4bK27dc2296bb70;received=10.52.228.69
Via: SIP/2.0/TCP icsthp1fee11.icst.com:6088;branch=z9hG4bKd0e74ba700a5;received=10.52.228.69
Via: SIP/2.0/TCP 10.52.228.69:5090;branch=z9hG4bK0c9ce7d6538136bd5d98293223a2929e;lskpmc=SCF
Via: SIP/2.0/TCP [2001:1234:5678:2807::77];branch=z9hG4bK1497565.3916.28
Content-Length: 0

It looks like the dissector uses “;” as the key divider
whereas in this specific case (for the contact field)
I am under the impression that
the main delimiter should be the comma “,” (and then ";")
as per the example in rfc3261 §20.10 (http://tools.ietf.org/html/rfc3261#section-20.10)

In other words
I believe a more (elegant?) dissection might be like the below
(using the order of preference and perhaps taking the potential "expires" into account as well?)

- Contact: <sip:1190000107@xxxxxxxxxxx?P-Asserted-Identity=sip:+11900000107%40sr.icst.com>;q=1,<sip:555555555@xxxxxxxxxxx?P-Asserted-Identity=sip:+155555555%40sr.icst.com>;q=2

  - Contact: <sip:555555555@xxxxxxxxxxx?P-Asserted-Identity=sip:+155555555%40sr.icst.com>;q=2

    - Contact URI: sip:555555555@xxxxxxxxxxx?P-Asserted-Identity=sip:+155555555%40sr.icst.com

      - Contact URI User part: 555555555

      - Contact URI Host part: sr.icst.com

      - Contact URI Order of preference: 2

  - Contact <sip:1190000107@xxxxxxxxxxx?P-Asserted-Identity=sip:+11900000107%40sr.icst.com>;q=1

    - Contact URI: sip:1190000107@xxxxxxxxxxx?P-Asserted-Identity=sip:+11900000107%40sr.icst.com

      - Contact URI User part: 1190000107

      - Contact URI Host part: sr.icst.com

      - Contact URI Order of preference: 1


any comments?

Thanks
Manolis


Hi Manolis,

the issue you describe seems rather similar to bug 9031: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9031
Could you give a try to the newly released 1.10.2 version? The dissection should look a bit better.

Regards,
Pascal.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube