# Revision history [back]

### tshark with SCTP fragmentation

Hello all,

I am facing an issue using tshark for SCTP fragmented frames.

I have SIP traffic coming over SCTP. SIP packet is fragmented into 2 SCTP data chunks. I have it stored into a input.pcapng file. I use the following command to filter this:

tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -o sctp.reassembly:TRUE -r input.pcapng -w output.pcapng
Or
tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -r input.pcapng -w output.pcapng

But the output file contains only the fragment in which the packet is reassembled.

Problems:
1. Output file does not contain the correct frame containing fragment which has matching filter. It shows the fragment which did the reassembly.
2. It does not show both the fragments in output file.

What can be the reason and how can I achieve this?

Note: I tried the same with IP fragmentation (I have a SIP packet fragmented into 2 IP fragments) and after SIP header based filtering, I see the both fragments are written to output file. So this seems to be working for IP fragmentation.

Amit

### tshark with SCTP fragmentation

Hello all,

I am facing an issue using tshark for SCTP fragmented frames.

I have SIP traffic coming over SCTP. SIP packet is fragmented into 2 SCTP data chunks. I have it stored into a input.pcapng file. I use the following command to filter this:

tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -o sctp.reassembly:TRUE -r input.pcapng -w output.pcapng
Or
tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -r input.pcapng -w output.pcapng

But the output file contains only the fragment in which the packet is reassembled.

Problems:
1. Output file does not contain the correct frame containing fragment which has matching filter. It shows the fragment which did the reassembly.
2. It does not show both the fragments in output file.

What can be the reason and how can I achieve this?

Note: I tried the same with IP fragmentation (I have a SIP packet fragmented into 2 IP fragments) and after SIP header based filtering, I see the both fragments are written to output file. So this seems to be working for IP fragmentation.

Amit

 3 None grahamb 23476 ●4 ●805 ●226 https://www.wireshark.org

### tshark with SCTP fragmentation

Hello all,

I am facing an issue using tshark for SCTP fragmented frames.

I have SIP traffic coming over SCTP. SIP packet is fragmented into 2 SCTP data chunks. I have it stored into a input.pcapng file. I use the following command to filter this:

tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -o sctp.reassembly:TRUE -r input.pcapng -w output.pcapng output.pcapng


Or

tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -r input.pcapng -w output.pcapngoutput.pcapng


But the output file contains only the fragment in which the packet is reassembled.

Problems:
1.

1. Output file does not contain the correct frame containing fragment which has matching filter. It shows the fragment which did the reassembly.
2.
2. It does not show both the fragments in output file.

What can be the reason and how can I achieve this?

Note: I tried the same with IP fragmentation (I have a SIP packet fragmented into 2 IP fragments) and after SIP header based filtering, I see the both fragments are written to output file. So this seems to be working for IP fragmentation.

### tshark with SCTP fragmentation

Hello all,

I am facing an issue using tshark for SCTP fragmented frames.

I have SIP traffic coming over SCTP. SIP packet is fragmented into 2 SCTP data chunks. I have it stored into a input.pcapng file. I use the following command to filter this:

tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -o sctp.reassembly:TRUE -r input.pcapng -w output.pcapng


output.pcapng
Or

 tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -r input.pcapng -w output.pcapng

output.pcapng

But the output file contains only the fragment in which the packet is reassembled.

Problems:

1. 1.
Output file does not contain the correct frame containing fragment which has matching filter. It shows the fragment which did the reassembly.

2. 2.
It does not show both the fragments in output file.

Questions:
1. What can be the reason and how can I achieve this?resolve above problems?
2. Also, if a SIP packet is segmented into multiple TCP segments and I want to use a SIP header based filter and would like all TCP segments to be output, is it possible? If yes, what command shall I use?

Note: I tried the same with IP fragmentation (I have a SIP packet fragmented into 2 IP fragments) and after SIP header based filtering, I see the both fragments are written to output file. So this seems to be working for IP fragmentation.

Amit

### tshark with SCTP fragmentation

Hello all,

I am facing an issue using tshark for SCTP fragmented frames.

I have SIP traffic coming over SCTP. SIP packet is fragmented into 2 SCTP data chunks. I have it stored into a input.pcapng file. I use the following command to filter this:

tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -o sctp.reassembly:TRUE -r input.pcapng -w output.pcapng
Or
tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -r input.pcapng -w output.pcapng

But the output file contains only the fragment in which the packet is reassembled.

Problems:
1. Output file does not contain the correct frame containing fragment which has matching filter. It shows the fragment which did the reassembly.
2. It does not show both the fragments in output file.

Questions:
1. What can be the reason and how can I resolve above problems?
2. Also, if a SIP packet is segmented into multiple TCP segments and I want to use a SIP header based filter and would like all TCP segments to be output, is it possible? If yes, what command shall I use?

Note: I tried the same with IP fragmentation (I have a SIP packet fragmented into 2 IP fragments) and after SIP header based filtering, I see the both fragments are written to output file. So this seems to be working for IP fragmentation.

Amit

### tshark with SCTP fragmentationSCTP/TCP fragmentation/segmentation not working?

Hello all,

I am facing an issue using tshark for SCTP fragmented frames.

I have SIP traffic coming over SCTP. SIP packet is fragmented into 2 SCTP data chunks. I have it stored into a input.pcapng file. I use the following command to filter this:

tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -o sctp.reassembly:TRUE -r input.pcapng -w output.pcapng
Or
tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -r input.pcapng -w output.pcapng

But the output file contains only the fragment in which the packet is reassembled.

Problems:
1. Output file does not contain the correct frame containing fragment which has matching filter. It shows the fragment which did the reassembly.
2. It does not show both the fragments in output file.

Questions:
1. What can be the reason and how can I resolve above problems?
2. Also, if a SIP packet is segmented into multiple TCP segments and I want to use a SIP header based filter and would like all TCP segments to be output, is it possible? If yes, what command shall I use?

Note: I tried the same with IP fragmentation (I have a SIP packet fragmented into 2 IP fragments) and after SIP header based filtering, I see the both fragments are written to output file. So this seems to be working for IP fragmentation.

Amit

### tshark with SCTP/TCP fragmentation/segmentation not working?

Hello all,

I am facing an issue using tshark for SCTP fragmented frames.

I have SIP traffic coming over SCTP. SIP packet is fragmented into 2 SCTP data chunks. I have it stored into a input.pcapng file. I use the following command to filter this:

tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -o sctp.reassembly:TRUE -r input.pcapng -w output.pcapng
Or
tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -r input.pcapng -w output.pcapng

But the output file contains only the fragment in which the packet is reassembled.

Problems:
1. Output file does not contain the correct frame containing fragment which has matching filter. It shows the fragment which did the reassembly.
2. It does not show both the fragments in output file.

Questions:
1. What can be the reason and how can I resolve above problems?
2. Also, if a SIP packet is segmented into multiple TCP segments and I want to use a SIP header based filter and would like all TCP segments to be output, is it possible? If yes, what command shall I use?

Note: I tried the same with IP fragmentation (I have a SIP packet fragmented into 2 IP fragments) and after SIP header based filtering, I see the both fragments are written to output file. So this seems to be working for IP fragmentation.

Amit

 8 None grahamb 23476 ●4 ●805 ●226 https://www.wireshark.org

### tshark filtering with SCTP/TCP fragmentation/segmentation SCTP fragmentation not working?

Hello all,

I am facing an issue using tshark for SCTP fragmented frames.

I have SIP traffic coming over SCTP. SIP packet is fragmented into 2 SCTP data chunks. I have it stored into a input.pcapng file. I use the following command to filter this:

tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -o sctp.reassembly:TRUE -r input.pcapng -w output.pcapng output.pcapng


Or

tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -r input.pcapng -w output.pcapngoutput.pcapng


But the output file contains only the fragment in which the packet is reassembled.

Problems:
1.

1. Output file does not contain the correct frame containing fragment which has matching filter. It shows the fragment which did the reassembly.
2.
2. It does not show both the fragments in output file.

Questions:
1.

1. What can be the reason and how can I resolve above problems?
2.
2. Also, if a SIP packet is segmented into multiple TCP segments and I want to use a SIP header based filter and would like all TCP segments to be output, is it possible? If yes, what command shall I use?

Note: I tried the same with IP fragmentation (I have a SIP packet fragmented into 2 IP fragments) and after SIP header based filtering, I see the both fragments are written to output file. So this seems to be working for IP fragmentation.

Amit

### tshark filtering with SCTP fragmentation not working?

Hello all,

I am facing an issue using tshark for SCTP fragmented segmented frames.

I have SIP traffic coming over SCTP. SIP packet is fragmented segmented into 2 SCTP data chunks. I have it stored into a input.pcapng file. I use the following command to filter this:

tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -o sctp.reassembly:TRUE -r input.pcapng -w output.pcapng


Or

tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -r input.pcapng -w output.pcapng


But the output file contains only the fragment SCTP segment in which the packet is reassembled.

Problems:

1. Output file does not contain the correct frame containing fragment segment which has matching filter. It shows the fragment segment which did the reassembly.
2. It does not show both the fragments segments in output file.

Questions:

1. What can be the reason and how can I resolve above problems?
2. Also, if a SIP packet is segmented into multiple TCP segments and I want to use a SIP header based filter and would like all TCP segments to be output, is it possible? If yes, what command shall I use?

Note:
I tried the same with IP fragmentation (I have a SIP packet fragmented into 2 IP fragments) and after SIP header based filtering, I see the both fragments are written to output file. So this seems to be working for IP fragmentation.fragmentation.
I tried SIP with TCP segmentation and tshark filtering outputs all TCP segments corresponding to SIP packet. I also tried Diameter with TCP segmentation and tshark filtering outputs all TCP segments corresponding to that Diameter packet.
Hence the above problem looks to be specific to SCTP segmentation.

Amit

### tshark filtering with SCTP fragmentation not working?

Hello all,

I am facing an issue using tshark for SCTP segmented frames.

I have SIP traffic coming over SCTP. SIP packet is segmented into 2 SCTP data chunks. I have it stored into a input.pcapng file. I use the following command to filter this:

tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -o sctp.reassembly:TRUE -r input.pcapng -w output.pcapng


Or

tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -r input.pcapng -w output.pcapng


But the output file contains only the SCTP segment in which the packet is reassembled.

Problems:

1. Output file does not contain the correct frame containing segment which has matching filter. It shows the segment which did the reassembly.
2. It does not show both the segments in output file.

Questions:

1. What can be the reason and how can I resolve above problems?

Note:
I tried the same with IP fragmentation (I have a SIP packet fragmented into 2 IP fragments) and after SIP header based filtering, I see the both fragments are written to output file. So this seems to be working for IP fragmentation.
I tried SIP with TCP segmentation and tshark filtering outputs all TCP segments corresponding to SIP packet. I also tried Diameter with TCP segmentation and tshark filtering outputs all TCP segments corresponding to that Diameter packet.
Hence the above problem looks to be specific to SCTP segmentation.