 | 1 | initial version |
Are you sure you need to disable IP fragment reassembly to make your filter work? I expect you will need to enable it to make the filter work correctly.
Can you try:
/usr/sbin/tshark -o ip.defragment:TRUE -r /tmp/temp.pcap -R "sip && !sip.CSeq.method == OPTIONS && ip.src == [SOURCE_IP] && udp.srcport == 5060" | wc -l
If that does not work, may sharing your file is an option, even with enough karma, you can't share pcap files directly on here, but @Jasper wrote a good article on how to share pcap files. Have a look at: https://blog.packet-foo.com/2016/11/the-wireshark-qa-trace-file-sharing-tutorial/
| | 2 | No.2 Revision |
Are you sure you need to disable IP fragment reassembly to make your filter work? I expect you will need to enable it to make the filter work correctly.
Can you try:
/usr/sbin/tshark -o ip.defragment:TRUE -r /tmp/temp.pcap -R "sip && !sip.CSeq.method == OPTIONS && ip.src == [SOURCE_IP] && udp.srcport == 5060" | wc -l
If that does not work, may maybe sharing your file is an option, even with enough karma, you can't share pcap files directly on here, but @Jasper wrote a good article on how to share pcap files. Have a look at:
https://blog.packet-foo.com/2016/11/the-wireshark-qa-trace-file-sharing-tutorial/