Ask Your Question
0

Decoding SIP packet containing STIR/SHAKEN certificate

asked 2025-07-01 13:17:55 +0000

ghostman65 gravatar image

In capturing SIP UDP INVITES that have a STIR/SHAKEN (aka STI-PA) certificate within the packet, Wireshark 4.4.7 labels it as "Fragmented IP protocol" though it is not fragmented (though it does have a length of 1514). I tried doing a "decode as", but there is no SIP option there. Any suggestions on getting wireshark to see it as a SIP INVITE?

edit retag flag offensive close merge delete

Comments

Are you sure it isn't fragmented? What are the values of the ip.flags field? SIP over UDP very commonly can be fragmented at the IP later. You can also turn off the "Reassemble IPv4 datagrams" preference in the IPv4 layer to dissect first fragments without reassembly. If it's over IPv6 there are analogous steps.

How are you capturing? Note that capture filters based on UDP port alone (e.g. 5060) will not capture non first fragments, because fragments don't have a UDP layer or port.

johnthacker gravatar imagejohnthacker ( 2025-07-01 13:32:00 +0000 )edit

Thanks for the quick response. Those are good questions and good info. Flags below. You suggestion on the "reassemble" setting did the trick on wireshark seeing it as an invite. And fyi, I am capturing the source with a tcpdump and "udp port 5060".

010. .... = Flags: 0x2, Don't fragment
    0... .... = Reserved bit: Not set
    .1.. .... = Don't fragment: Set
    ..0. .... = More fragments: Not set
ghostman65 gravatar imageghostman65 ( 2025-07-01 13:53:25 +0000 )edit

Interesting. And the ip.fragment_offset field, is that zero? Are you perhaps truncating the capture (though I am not sure that it should be marked as fragmented in that case.) If the fragment offset is also zero, I might like to take a look, if you can open an issue and attach the capture file on the Gitlab page: https://gitlab.com/wireshark/wireshar...

johnthacker gravatar imagejohnthacker ( 2025-07-01 14:34:02 +0000 )edit

ip.fragment_offset is zero. Opened gitlab with same title with attachment. Thanks! As I stated, turning off the reassemble IPv4 datagrams fixed it up for me.

ghostman65 gravatar imageghostman65 ( 2025-07-01 14:49:56 +0000 )edit
Chuckc gravatar imageChuckc ( 2025-07-01 16:12:54 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2025-07-01 16:16:08 +0000

Jaap gravatar image
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2025-07-01 13:17:55 +0000

Seen: 32 times

Last updated: yesterday