Ask Your Question
0

Different protocols recognized by tshark on Windows and Linux

asked 2019-11-13 08:54:43 +0000

mibognar gravatar image

I am investigating a capture file where some SIP messages arrive in the wrong order (out-of-order segments). If I observe the packet layers of the particular segment, I get different results on Windows and Linux machines.

Both on Linux and Windows the tshark command is the following (i am looking for frame no. 650):

tshark -r ooo.pcap -T fields -e frame.protocols frame.number==650

However the outputs of the command are different on different OSs:

Windows output:

sll:ethertype:ip:tcp:sip:sdp

Linux output (CentOS 7):

sll:ethertype:ip:tcp

It seems like the Linux version cannot detect the sip layer. On sip packets that are not out-of-order both versions read the sip layer correctly.

How does this happen? Is there a settings field that has different default value on linux&windows?

Both Wireshark(tshark) versions are the same (3.0.6), and the 'ooo.pcap' file is also identical.

edit retag flag offensive close merge delete

Comments

1

Check tcp preferences on both machines.

Anders gravatar imageAnders ( 2019-11-13 09:14:25 +0000 )edit

Thanks, amazing! tcp.reassemble_out_of_order:TRUE did it. It looks like somehow wireshark defaults this value differently on the two OSs.

mibognar gravatar imagemibognar ( 2019-11-13 09:50:09 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-11-13 10:24:12 +0000

mibognar gravatar image

As Anders' comment suggested, there is a preference setting tcp.reassemble_out_of_orderthat defaults to False on installation. The preference file is modified by the wireshark gui, this caused my windows cmd tshark to reassemble the out-of-order segments, as I ticked it when I was reading the file on the gui. In linux tshark (without a gui in my case) however you need to overwrite this parameter when running the command like this:

tshark -o tcp.reassemble_out_of_order:TRUE -r ooo.pcap -T fields -e frame.protocols frame.number==650
edit flag offensive delete link more

Comments

Note that the preference defaults are the same for all platforms, although they may have changed between versions so it's entirely possible to pick up user modified preferences from an earlier version that appear to cause differences between platforms.

Any preference changes between platforms (when using the same version) are entirely down to user changes.

grahamb gravatar imagegrahamb ( 2019-11-13 11:04:39 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2019-11-13 08:54:43 +0000

Seen: 507 times

Last updated: Nov 13 '19

Related questions

Help to set up a "pass through bridge" sniffer

windows missing horizontal scrollbar

CentOS VM on Hyper V only shows traffic in one direction?

Wireshark 2.4.1 GTK Crash on long run

wifi disconnects as wireshark starts

Deduplication in tshark -T ek [closed]

filtering out protocol, sequence number, and ack using tshark

what determines the final windows scaling factor?

Using tshark filters to extract only interesting traffic from 12GB trace

Failed to run MSBuild command (CMake Error at CMakeLists.txt:22 (project))