Ask Your Question
0

tshark unable to cope with fragmented/segmented messages?

asked 2021-10-15 12:57:39 +0000

updated 2021-10-15 13:36:41 +0000

grahamb gravatar image

I need to pre-filter huge (multiple GBytes) SIP traces and want to do that using tshark.

These days several SIP messages are spanning more than a single IP packet or TCP segment.

Thus my expectation is that tshark will reassemble those big SIP messages, apply the filter expression and then write the selected messages - including ALL frames a message consists of - into an output pcap file which I may analyze in detail with Wireshark.

For example (tshark version 3.4.9):

tshark -Y "sip.Method==INVITE" -r input.pcap -w output.pcap

But it doesn't work as required. When input file contains SIP messages occupying multiple IP packets, tshark only writes one of the packets to output file.

I use this file for demonstration: SIP example trace

Loading into Wireshark and apply "sip.Method==INVITE" for filter shows: (Info column has been cut for these displays.)

 No. Source      Destination    Length Info
   1 217.0.21.65 84.146.135.221   1445 Request: INVITE sip:[email protected]
2076 217.0.21.65 84.146.135.221    591 Request: INVITE sip:[email protected]
3916 217.0.21.65 84.146.135.221   1447 Request: INVITE sip:[email protected]

Actually message in frame 2076 consists of two IP packets.

Writing these messages into file using "Export Specified Packets" with Packet Range "All Packets" as "Displayed" works as expected, Wireshark includes the additional IP packet.

No. Source      Destination    Length Info
  1 217.0.21.65 84.146.135.221   1445 Request: INVITE sip:[email protected]
  2 217.0.21.65 84.146.135.221   1518 Fragmented IP protocol...  [Reassembled in #3]
  3 217.0.21.65 84.146.135.221    591 Request: INVITE sip:[email protected]
  4 217.0.21.65 84.146.135.221   1447 Request: INVITE sip:[email protected]

When using tshark with command line shown above, only the last IP packet of the big SIP message is included in output file.

No. Source      Destination    Length Info
  1 217.0.21.65 84.146.135.221   1445 Request: INVITE sip:[email protected]
  2 217.0.21.65 84.146.135.221    591 Fragmented IP protocol (proto=UDP 17, off=1472)
  3 217.0.21.65 84.146.135.221   1447 Request: INVITE sip:[email protected]

This is quite useless...

Similar happens with big SIP messages if TCP is used for transport.

It's said that tshark will respect the Wireshark protocol settings, e.g. message reassembly etc.

As it works with Wireshark itself I'd expect it does with tshark too.

Anyway, I tried several permutations of tshark parameters yet but didn't see any improvement.

tshark -2 -R "sip.Method==INVITE"
tshark -2 -R "sip.Method==INVITE" -o ip.defragment:TRUE
tshark -2 -R "sip.Method==INVITE" -o sip.desegment_headers:TRUE

and so on...

Now, does anybody has a working/verified hint how to bring tshark ... (more)

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
1

answered 2021-10-15 13:51:31 +0000

grahamb gravatar image

updated 2021-10-15 13:57:03 +0000

Using tshark -2 -Y "sip.Method==INVITE" -r input.pcap -w output.pcap works for me. I get four packets in the output file:

> tshark -r C:\temp\out.pcapng -T fields -e frame.number -e ip.src -e ip.dst -e frame.len -e _ws.col.Info
1  217.0.21.65  84.146.135.221  1445    Request: INVITE sip:[email protected]
2  217.0.21.65  84.146.135.221  1518    Fragmented IP protocol (proto=UDP 17, off=0, ID=38fc)
3  217.0.21.65  84.146.135.221  591     Request: INVITE sip:[email protected]
4  217.0.21.65  84.146.135.221  1447    Request: INVITE sip:[email protected]
edit flag offensive delete link more

Comments

Wow, that was quick! "-2 -Y" was a combination I didn't try. Thanks a lot, now I have something to play with...

HorstMeier gravatar imageHorstMeier ( 2021-10-15 14:14:59 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2021-10-15 12:56:07 +0000

Seen: 496 times

Last updated: Oct 15 '21