 | 1 | initial version |
Ask: Disabling "Reassemble Fragmented IPv4 datagrams" preference in IPv4 protocol for tshark?
Thank you for sharing your pcap-file, I ran some tests myself and agree you should disable the ip defragmentation because you only captured the first fragments of fragmented traffic. This is because the BPF filter uses a port filter, which is only available in the first fragment. If you change your filter to include (all) IP fragments, you will probably not have this problem, but of course you might be capturing too many IP fragments to other ports. You can try the following capture filter:
udp and (port 5065 or port 5060 or ip[6:2] & 0x1fff > 0)
| | 2 | No.2 Revision |
Ask: Disabling "Reassemble Fragmented IPv4 datagrams" preference in IPv4 protocol for tshark?
Thank you for sharing your pcap-file, I ran some tests myself and agree you should disable the ip defragmentation because you only captured the first fragments of fragmented traffic. This is because the BPF filter uses a port filter, which is only available in the first fragment. If you change your filter to include (all) IP fragments, you will probably not have this problem, but of course you might be capturing too many IP fragments to other ports. You can try the following capture filter:
udp and (port 5065 or port 5060 or ip[6:2] & 0x1fff > 0)
Try this filter:
udp and (port 2055 or ip[6:2] & 0x1fff > 0)
