I am investigating a capture file where some SIP messages arrive in the wrong order (out-of-order segments). If I observe the packet layers of the particular segment, I get different results on Windows and Linux machines.
Both on Linux and Windows the tshark command is the following (i am looking for frame no. 650):
tshark -r ooo.pcap -T fields -e frame.protocols frame.number==650
However the outputs of the command are different on different OSs:
Windows output:
sll:ethertype:ip:tcp:sip:sdp
Linux output (CentOS 7):
sll:ethertype:ip:tcp
It seems like the Linux version cannot detect the sip layer. On sip packets that are not out-of-order both versions read the sip layer correctly.
How does this happen? Is there a settings field that has different default value on linux&windows?
Both Wireshark(tshark) versions are the same (3.0.6), and the 'ooo.pcap' file is also identical.