Only some DIAMETER packets are being dissected as DIAMETER

2021-06-09

Maria

2021-06-09

Guy Harris

My capture has a DIAMETER conversation, but only first pair (request/response) is displayed as DIAMETER , even though all packages are recognized as such in packet comments field. Rest of packets are displayed as TCP. TCP retransmission message is showing. Any idea how to display all in highest protocol? Thank you

Is the "Reassemble Diameter messages spanning multiple TCP segments" preference set? Go to Edit > Preferences on non-Macs or Wireshark > Preferences on Macs, open up "Protocols", and scroll down to "Diameter" (typing "D" might take you to the section for protocols with names beginning with "D"). Is that preference checked?

Also, is the TCP preference "Allow subdissector to reassemble TCP streams" set?

Guy Harris ( 2021-06-09 )

2021-06-09

JeffMorriss

By default (IIRC) Wireshark won't dissect TCP retransmissions as the higher-level protocol because doing so may mess up the higher-level protocol's (stateful) dissection.

If you want retransmissions to be dissected, try disabling the TCP dissector's Do not call subdissectors for error packets option.

Thank you guys for your quick response and suggestions, i followed them and try additional options for TCP protocol preferences. Now I can see all packets as diameter disabling "Analyze TCP sequence numbers". I can´t vote or something but I really apreciate your help :-)

Maria ( 2021-06-09 )

