Decoding SIP packet containing STIR/SHAKEN certificate
In capturing SIP UDP INVITES that have a STIR/SHAKEN (aka STI-PA) certificate within the packet, Wireshark 4.4.7 labels it as "Fragmented IP protocol" though it is not fragmented (though it does have a length of 1514). I tried doing a "decode as", but there is no SIP option there. Any suggestions on getting wireshark to see it as a SIP INVITE?
Are you sure it isn't fragmented? What are the values of the ip.flags field? SIP over UDP very commonly can be fragmented at the IP later. You can also turn off the "Reassemble IPv4 datagrams" preference in the IPv4 layer to dissect first fragments without reassembly. If it's over IPv6 there are analogous steps.
How are you capturing? Note that capture filters based on UDP port alone (e.g. 5060) will not capture non first fragments, because fragments don't have a UDP layer or port.
Thanks for the quick response. Those are good questions and good info. Flags below. You suggestion on the "reassemble" setting did the trick on wireshark seeing it as an invite. And fyi, I am capturing the source with a tcpdump and "udp port 5060".
Interesting. And the ip.fragment_offset field, is that zero? Are you perhaps truncating the capture (though I am not sure that it should be marked as fragmented in that case.) If the fragment offset is also zero, I might like to take a look, if you can open an issue and attach the capture file on the Gitlab page: https://gitlab.com/wireshark/wireshar...
ip.fragment_offset is zero. Opened gitlab with same title with attachment. Thanks! As I stated, turning off the reassemble IPv4 datagrams fixed it up for me.
Similar to Disabling "Reassemble Fragmented IPv4 datagrams" preference in IPv4 protocol for tshark? where the IP fragments are not captured.