tshark unable to cope with fragmented/segmented messages?
I need to pre-filter huge (multiple GBytes) SIP traces and want to do that using tshark.
These days several SIP messages are spanning more than a single IP packet or TCP segment.
Thus my expectation is that tshark will reassemble those big SIP messages, apply the filter expression and then write the selected messages - including ALL frames a message consists of - into an output pcap file which I may analyze in detail with Wireshark.
For example (tshark version 3.4.9):
tshark -Y "sip.Method==INVITE" -r input.pcap -w output.pcap
But it doesn't work as required. When input file contains SIP messages occupying multiple IP packets, tshark only writes one of the packets to output file.
I use this file for demonstration: SIP example trace
Loading into Wireshark and apply "sip.Method==INVITE" for filter shows: (Info column has been cut for these displays.)
No. Source Destination Length Info
1 217.0.21.65 84.146.135.221 1445 Request: INVITE sip:[email protected]
2076 217.0.21.65 84.146.135.221 591 Request: INVITE sip:[email protected]
3916 217.0.21.65 84.146.135.221 1447 Request: INVITE sip:[email protected]
Actually message in frame 2076 consists of two IP packets.
Writing these messages into file using "Export Specified Packets" with Packet Range "All Packets" as "Displayed" works as expected, Wireshark includes the additional IP packet.
No. Source Destination Length Info
1 217.0.21.65 84.146.135.221 1445 Request: INVITE sip:[email protected]
2 217.0.21.65 84.146.135.221 1518 Fragmented IP protocol... [Reassembled in #3]
3 217.0.21.65 84.146.135.221 591 Request: INVITE sip:[email protected]
4 217.0.21.65 84.146.135.221 1447 Request: INVITE sip:[email protected]
When using tshark with command line shown above, only the last IP packet of the big SIP message is included in output file.
No. Source Destination Length Info
1 217.0.21.65 84.146.135.221 1445 Request: INVITE sip:[email protected]
2 217.0.21.65 84.146.135.221 591 Fragmented IP protocol (proto=UDP 17, off=1472)
3 217.0.21.65 84.146.135.221 1447 Request: INVITE sip:[email protected]
This is quite useless...
Similar happens with big SIP messages if TCP is used for transport.
It's said that tshark will respect the Wireshark protocol settings, e.g. message reassembly etc.
As it works with Wireshark itself I'd expect it does with tshark too.
Anyway, I tried several permutations of tshark parameters yet but didn't see any improvement.
tshark -2 -R "sip.Method==INVITE"
tshark -2 -R "sip.Method==INVITE" -o ip.defragment:TRUE
tshark -2 -R "sip.Method==INVITE" -o sip.desegment_headers:TRUE
and so on...
Now, does anybody has a working/verified hint how to bring tshark ...