How to let tshark reassemble the fragments on GRE?
I have captured on pcap with gre traffic. and could filter out the gre traffic by:
[root@vmtca-2101 mzhan017]# tshark -r ims_merged_bad.pcap "ip.proto == 47"
Running as user "root" and group "root". This could be dangerous.
42037 144.861194 10.0.0.7 → 55.0.0.5 IPv4 1512 Fragmented IP protocol (proto=UDP 17, off=0, ID=079a)
42039 144.861213 10.0.0.7 → 55.0.0.5 IPv4 69 Fragmented IP protocol (proto=UDP 17, off=1448, ID=079a)
These two fragments are one SIP INVITE message.
So I tried to filter the SIP with following command.
tshark -2 -r ims_merged_bad.pcap -R "ip.proto == 47" "sip.CSeq.method==\"INVITE\""
But couldn't get the INVITE message out.
Does tshark support this kind of re-assemble? Any suggestion for this demand?
Thanks, Mark
By the way, the fragments happened on IP over GRE.
What do you get if you try this?
So presumably the first fragment is 1448 bytes long, as the second fragment has a fragment offset of 1448 bytes. If not, then either not all fragments are present or there's something wrong with the fragmentation.