Ask Your Question

Revision history [back]

tshark with SCTP fragmentation

Hello all,

I am facing an issue using tshark for SCTP fragmented frames.

I have SIP traffic coming over SCTP. SIP packet is fragmented into 2 SCTP data chunks. I have it stored into a input.pcapng file. I use the following command to filter this:

tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -o sctp.reassembly:TRUE -r input.pcapng -w output.pcapng
Or
tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -r input.pcapng -w output.pcapng

But the output file contains only the fragment in which the packet is reassembled.

Problems:
1. Output file does not contain the correct frame containing fragment which has matching filter. It shows the fragment which did the reassembly.
2. It does not show both the fragments in output file.

What can be the reason and how can I achieve this?

Note: I tried the same with IP fragmentation (I have a SIP packet fragmented into 2 IP fragments) and after SIP header based filtering, I see the both fragments are written to output file. So this seems to be working for IP fragmentation.

Thanks in advance,
Amit

tshark with SCTP fragmentation

Hello all,

I am facing an issue using tshark for SCTP fragmented frames.

I have SIP traffic coming over SCTP. SIP packet is fragmented into 2 SCTP data chunks. I have it stored into a input.pcapng file. I use the following command to filter this:

tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -o sctp.reassembly:TRUE -r input.pcapng -w output.pcapng
Or
tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -r input.pcapng -w output.pcapng

But the output file contains only the fragment in which the packet is reassembled.

Problems:
1. Output file does not contain the correct frame containing fragment which has matching filter. It shows the fragment which did the reassembly.
2. It does not show both the fragments in output file.

What can be the reason and how can I achieve this?

Note: I tried the same with IP fragmentation (I have a SIP packet fragmented into 2 IP fragments) and after SIP header based filtering, I see the both fragments are written to output file. So this seems to be working for IP fragmentation.

Thanks in advance,
Amit

click to hide/show revision 3
None

updated 2020-08-10 07:27:14 +0000

grahamb gravatar image

tshark with SCTP fragmentation

Hello all,

I am facing an issue using tshark for SCTP fragmented frames.

I have SIP traffic coming over SCTP. SIP packet is fragmented into 2 SCTP data chunks. I have it stored into a input.pcapng file. I use the following command to filter this:

tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -o sctp.reassembly:TRUE -r input.pcapng -w output.pcapng
 output.pcapng

Or

tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -r input.pcapng -w output.pcapng
output.pcapng

But the output file contains only the fragment in which the packet is reassembled.

Problems:
1.

  1. Output file does not contain the correct frame containing fragment which has matching filter. It shows the fragment which did the reassembly.
    2.
  2. It does not show both the fragments in output file.

What can be the reason and how can I achieve this?

Note: I tried the same with IP fragmentation (I have a SIP packet fragmented into 2 IP fragments) and after SIP header based filtering, I see the both fragments are written to output file. So this seems to be working for IP fragmentation.

Thanks in advance,
advance, Amit

tshark with SCTP fragmentation

Hello all,

I am facing an issue using tshark for SCTP fragmented frames.

I have SIP traffic coming over SCTP. SIP packet is fragmented into 2 SCTP data chunks. I have it stored into a input.pcapng file. I use the following command to filter this:

tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -o sctp.reassembly:TRUE -r input.pcapng -w output.pcapng

output.pcapng
Or


 tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -r input.pcapng -w output.pcapng
output.pcapng

But the output file contains only the fragment in which the packet is reassembled.

Problems:


  1. 1.     Output file does not contain the correct frame containing fragment which has matching filter. It shows the fragment which did the reassembly.

  2. 2.     It does not show both the fragments in output file.

Questions:
1. What can be the reason and how can I achieve this?resolve above problems?
2. Also, if a SIP packet is segmented into multiple TCP segments and I want to use a SIP header based filter and would like all TCP segments to be output, is it possible? If yes, what command shall I use?

Note: I tried the same with IP fragmentation (I have a SIP packet fragmented into 2 IP fragments) and after SIP header based filtering, I see the both fragments are written to output file. So this seems to be working for IP fragmentation.

Thanks in advance, advance,
Amit

tshark with SCTP fragmentation

Hello all,

I am facing an issue using tshark for SCTP fragmented frames.

I have SIP traffic coming over SCTP. SIP packet is fragmented into 2 SCTP data chunks. I have it stored into a input.pcapng file. I use the following command to filter this:

tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -o sctp.reassembly:TRUE -r input.pcapng -w output.pcapng
Or
tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -r input.pcapng -w output.pcapng

But the output file contains only the fragment in which the packet is reassembled.

Problems:
1. Output file does not contain the correct frame containing fragment which has matching filter. It shows the fragment which did the reassembly.
2. It does not show both the fragments in output file.

Questions:
1. What can be the reason and how can I resolve above problems?
2. Also, if a SIP packet is segmented into multiple TCP segments and I want to use a SIP header based filter and would like all TCP segments to be output, is it possible? If yes, what command shall I use?

Note: I tried the same with IP fragmentation (I have a SIP packet fragmented into 2 IP fragments) and after SIP header based filtering, I see the both fragments are written to output file. So this seems to be working for IP fragmentation.

Thanks in advance,
Amit

tshark with SCTP fragmentationSCTP/TCP fragmentation/segmentation not working?

Hello all,

I am facing an issue using tshark for SCTP fragmented frames.

I have SIP traffic coming over SCTP. SIP packet is fragmented into 2 SCTP data chunks. I have it stored into a input.pcapng file. I use the following command to filter this:

tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -o sctp.reassembly:TRUE -r input.pcapng -w output.pcapng
Or
tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -r input.pcapng -w output.pcapng

But the output file contains only the fragment in which the packet is reassembled.

Problems:
1. Output file does not contain the correct frame containing fragment which has matching filter. It shows the fragment which did the reassembly.
2. It does not show both the fragments in output file.

Questions:
1. What can be the reason and how can I resolve above problems?
2. Also, if a SIP packet is segmented into multiple TCP segments and I want to use a SIP header based filter and would like all TCP segments to be output, is it possible? If yes, what command shall I use?

Note: I tried the same with IP fragmentation (I have a SIP packet fragmented into 2 IP fragments) and after SIP header based filtering, I see the both fragments are written to output file. So this seems to be working for IP fragmentation.

Thanks in advance,
Amit

tshark with SCTP/TCP fragmentation/segmentation not working?

Hello all,

I am facing an issue using tshark for SCTP fragmented frames.

I have SIP traffic coming over SCTP. SIP packet is fragmented into 2 SCTP data chunks. I have it stored into a input.pcapng file. I use the following command to filter this:

tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -o sctp.reassembly:TRUE -r input.pcapng -w output.pcapng
Or
tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -r input.pcapng -w output.pcapng

But the output file contains only the fragment in which the packet is reassembled.

Problems:
1. Output file does not contain the correct frame containing fragment which has matching filter. It shows the fragment which did the reassembly.
2. It does not show both the fragments in output file.

Questions:
1. What can be the reason and how can I resolve above problems?
2. Also, if a SIP packet is segmented into multiple TCP segments and I want to use a SIP header based filter and would like all TCP segments to be output, is it possible? If yes, what command shall I use?

Note: I tried the same with IP fragmentation (I have a SIP packet fragmented into 2 IP fragments) and after SIP header based filtering, I see the both fragments are written to output file. So this seems to be working for IP fragmentation.

Thanks in advance,
Amit

click to hide/show revision 8
None

updated 2020-08-10 10:48:07 +0000

grahamb gravatar image

tshark filtering with SCTP/TCP fragmentation/segmentation SCTP fragmentation not working?

Hello all,

I am facing an issue using tshark for SCTP fragmented frames.

I have SIP traffic coming over SCTP. SIP packet is fragmented into 2 SCTP data chunks. I have it stored into a input.pcapng file. I use the following command to filter this:

tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -o sctp.reassembly:TRUE -r input.pcapng -w output.pcapng
 output.pcapng

Or

tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -r input.pcapng -w output.pcapng
output.pcapng

But the output file contains only the fragment in which the packet is reassembled.

Problems:
1.

  1. Output file does not contain the correct frame containing fragment which has matching filter. It shows the fragment which did the reassembly.
    2.
  2. It does not show both the fragments in output file.

Questions:
1.

  1. What can be the reason and how can I resolve above problems?
    2.
  2. Also, if a SIP packet is segmented into multiple TCP segments and I want to use a SIP header based filter and would like all TCP segments to be output, is it possible? If yes, what command shall I use?

Note: I tried the same with IP fragmentation (I have a SIP packet fragmented into 2 IP fragments) and after SIP header based filtering, I see the both fragments are written to output file. So this seems to be working for IP fragmentation.

Thanks in advance,
Amit

tshark filtering with SCTP fragmentation not working?

Hello all,

I am facing an issue using tshark for SCTP fragmented segmented frames.

I have SIP traffic coming over SCTP. SIP packet is fragmented segmented into 2 SCTP data chunks. I have it stored into a input.pcapng file. I use the following command to filter this:

tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -o sctp.reassembly:TRUE -r input.pcapng -w output.pcapng

Or

tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -r input.pcapng -w output.pcapng

But the output file contains only the fragment SCTP segment in which the packet is reassembled.

Problems:

  1. Output file does not contain the correct frame containing fragment segment which has matching filter. It shows the fragment segment which did the reassembly.
  2. It does not show both the fragments segments in output file.

Questions:

  1. What can be the reason and how can I resolve above problems?
  2. Also, if a SIP packet is segmented into multiple TCP segments and I want to use a SIP header based filter and would like all TCP segments to be output, is it possible? If yes, what command shall I use?

Note:
I tried the same with IP fragmentation (I have a SIP packet fragmented into 2 IP fragments) and after SIP header based filtering, I see the both fragments are written to output file. So this seems to be working for IP fragmentation.fragmentation.
I tried SIP with TCP segmentation and tshark filtering outputs all TCP segments corresponding to SIP packet. I also tried Diameter with TCP segmentation and tshark filtering outputs all TCP segments corresponding to that Diameter packet.
Hence the above problem looks to be specific to SCTP segmentation.

Thanks in advance,
Amit

tshark filtering with SCTP fragmentation not working?

Hello all,

I am facing an issue using tshark for SCTP segmented frames.

I have SIP traffic coming over SCTP. SIP packet is segmented into 2 SCTP data chunks. I have it stored into a input.pcapng file. I use the following command to filter this:

tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -o sctp.reassembly:TRUE -r input.pcapng -w output.pcapng

Or

tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -r input.pcapng -w output.pcapng

But the output file contains only the SCTP segment in which the packet is reassembled.

Problems:

  1. Output file does not contain the correct frame containing segment which has matching filter. It shows the segment which did the reassembly.
  2. It does not show both the segments in output file.

Questions:

  1. What can be the reason and how can I resolve above problems?

Note:
I tried the same with IP fragmentation (I have a SIP packet fragmented into 2 IP fragments) and after SIP header based filtering, I see the both fragments are written to output file. So this seems to be working for IP fragmentation.
I tried SIP with TCP segmentation and tshark filtering outputs all TCP segments corresponding to SIP packet. I also tried Diameter with TCP segmentation and tshark filtering outputs all TCP segments corresponding to that Diameter packet.
Hence the above problem looks to be specific to SCTP segmentation.

Thanks in advance,
Amit

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2