Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-users: [Wireshark-users] tshark - Issues with IP Defragmentation - SIP

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Marv <marv@xxxxxxxxxxxxxx>
Date: Fri, 8 Feb 2013 10:32:58 +0000

Hi

I have a problem reading pcap files that have fragmented packets with tshark. My expectaion is tshark will re-assemble the fragmented IP packets before it passes them to the higher layer dissectors. But this doesnt appear to happen. If I open the same file with the Wireshark GUI application it does this fine.

Should I be able to do this with tshark on the command line? I have tried various tshark versions and get the same result. 1.4x, 1.6.7 and 1.8.2. I have also tried overriding the default sip.defragment option.

As an example I am searching pcap files (dumped with tcpump) for SIP calls. But the SIP dissector doesnt recognise the packets because they are still fragmented. So if I look at the first 10 packets in the file is see:

$ tshark -r 218423_1.cap00 -c 10 1 0.000000 10.0.226.129 -> 10.0.226.133 SIP 1251 Request: OPTIONS sip:10.0.226.133;transport=tcp 2 0.000835 10.0.226.133 -> 10.0.226.129 SIP 1337 Status: 200 OK 3 5.091195 10.0.226.133 -> 10.0.226.129 SIP/SDP 1025 Request: INVITE sip:[email protected];user=phone, with session description 4 5.094097 10.0.226.129 -> 10.0.226.133 SIP 359 Status: 100 Trying 5 5.122237 10.0.226.129 -> 10.0.226.133 IPv4 132 Fragmented IP protocol (proto=UDP 17, off=1480, ID=d618) 6 5.169126 10.0.226.129 -> 10.0.226.133 IPv4 825 Fragmented IP protocol (proto=UDP 17, off=1480, ID=d619) 7 5.171658 10.0.226.133 -> 10.0.226.129 SIP 840 Status: 100 Trying 8 5.176699 10.0.226.129 -> 10.0.226.134 RTP 218 PT=ITU-T G.711 PCMA, SSRC=0x33B61227, Seq=1, Time=0 9 5.177610 10.0.226.129 -> 10.0.226.134 RTCP 134 Receiver Report Source description
10 5.196590 10.0.226.129 -> 10.0.226.134 RTP 218 PT=ITU-T G.711 PCMA, SSRC=0x33B61227, Seq=2, Time=160

As you can see #5 and 6 show as fragmented. If I try to pass this through a sip filter it wont find those packets so it doesnt appear to be re-assembling them in the same way wireshark application does.

$ tshark -r 218423_1.cap00 sip -c 10 1 0.000000 10.0.226.129 -> 10.0.226.133 SIP 1251 Request: OPTIONS sip:10.0.226.133;transport=tcp 2 0.000835 10.0.226.133 -> 10.0.226.129 SIP 1337 Status: 200 OK 3 5.091195 10.0.226.133 -> 10.0.226.129 SIP/SDP 1025 Request: INVITE sip:[email protected];user=phone, with session description 4 5.094097 10.0.226.129 -> 10.0.226.133 SIP 359 Status: 100 Trying 7 5.171658 10.0.226.133 -> 10.0.226.129 SIP 840 Status: 100 Trying 12 5.216181 10.0.226.129 -> 10.0.226.133 SIP 1026 Request: PRACK sip:[email protected]:5060 14 5.219458 10.0.226.133 -> 10.0.226.129 SIP 1385 Status: 200 OK 483 8.250769 10.0.226.133 -> 10.0.226.129 SIP 1498 Status: 180 Ringing 487 8.267270 10.0.226.129 -> 10.0.226.133 SIP 1028 Request: PRACK sip:[email protected]:5060 488 8.270899 10.0.226.133 -> 10.0.226.129 SIP 1387 Status: 200 OK

As can be seen packets 5 and 6 (which in this I know form an INVITE) dont get shown. I have also tried the -o ip.defragment:TRUE and also writing the output to file but it still doesnt change anything.

For reference I am capturing them with tcpdump using the following BPF: ( vlan and (port 5060 or ip[6:2] & 0x1fff != 0 ))

Any Advice would be much appreciated

Cheers
Martin
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube