tshark filtering with SCTP segmentation not working?

asked 2020-08-10 07:22:49 +0000

updated 2020-08-10 10:58:21 +0000

Hello all,

I am facing an issue using tshark for SCTP segmented frames.

I have SIP traffic coming over SCTP. SIP packet is segmented into 2 SCTP data chunks. I have it stored into a input.pcapng file. I use the following command to filter this:

tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -o sctp.reassembly:TRUE -r input.pcapng -w output.pcapng


tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -r input.pcapng -w output.pcapng

But the output file contains only the SCTP segment in which the packet is reassembled.


  1. Output file does not contain the correct frame containing segment which has matching filter. It shows the segment which did the reassembly.
  2. It does not show both the segments in output file.


  1. What can be the reason and how can I resolve above problems?

I tried the same with IP fragmentation (I have a SIP packet fragmented into 2 IP fragments) and after SIP header based filtering, I see the both fragments are written to output file. So this seems to be working for IP fragmentation.
I tried SIP with TCP segmentation and tshark filtering outputs all TCP segments corresponding to SIP packet. I also tried Diameter with TCP segmentation and tshark filtering outputs all TCP segments corresponding to that Diameter packet.
Hence the above problem looks to be specific to SCTP segmentation.

Thanks in advance,

