Ask Your Question

Revision history [back]

tshark unable to cope with fragmented/segmented messages?

I need to pre-filter huge (multiple GBytes) SIP traces and want to do that using tshark.
These days several SIP messages are spanning more than a single IP packet or TCP segment.
Thus my expectation is that tshark will reassemble those big SIP messages, apply the filter expression and then write the selected messages - including ALL frames a message consists of - into an output pcap file which I may analyze in detail with Wireshark.
For example (tshark version 3.4.9):
tshark -Y "sip.Method==INVITE" -r input.pcap -w output.pcap

But it doesn't work as required.
When input file contains SIP messages occupying multiple IP packets, tshark only writes one of the packets to output file.

I use this file for demonstration: SIP example trace

Loading into Wireshark and apply "sip.Method==INVITE" for filter shows:
(Info column has been cut for these displays.)

 No. Source      Destination    Length Info
   1 217.0.21.65 84.146.135.221   1445 Request: INVITE sip:[email protected]
2076 217.0.21.65 84.146.135.221    591 Request: INVITE sip:[email protected]
3916 217.0.21.65 84.146.135.221   1447 Request: INVITE sip:[email protected]

Actually message in frame 2076 consists of two IP packets.
Writing these messages into file using "Export Specified Packets" with Packet Range "All Packets" as "Displayed" works as expected, Wireshark includes the additional IP packet.

 No. Source      Destination    Length Info
   1 217.0.21.65 84.146.135.221   1445 Request: INVITE sip:[email protected]
   2 217.0.21.65 84.146.135.221   1518 Fragmented IP protocol...  [Reassembled in #3]
   3 217.0.21.65 84.146.135.221    591 Request: INVITE sip:[email protected]
   4 217.0.21.65 84.146.135.221   1447 Request: INVITE sip:[email protected]

When using tshark with command line shown above, only the last IP packet of the big SIP message is included in output file.

 No. Source      Destination    Length Info
   1 217.0.21.65 84.146.135.221   1445 Request: INVITE sip:[email protected]
   2 217.0.21.65 84.146.135.221    591 Fragmented IP protocol (proto=UDP 17, off=1472)
   3 217.0.21.65 84.146.135.221   1447 Request: INVITE sip:[email protected]

This is quite useless...
Similar happens with big SIP messages if TCP is used for transport.

It's said that tshark will respect the Wireshark protocol settings, e.g. message reassembly etc.
As it works with Wireshark itself I'd expect it does with tshark too.
Anyway, I tried several permutations of tshark parameters yet but didn't see any improvement.
tshark -2 -R "sip.Method==INVITE"
tshark -2 -R "sip.Method==INVITE" -o ip.defragment:TRUE
tshark -2 -R "sip.Method==INVITE" -o sip.desegment_headers:TRUE
and so on...

Now, does anybody has a working/verified hint how to bring tshark to write all IP packets of big SIP messages into an output pcap file?

click to hide/show revision 2
None

updated 2021-10-15 13:35:53 +0000

grahamb gravatar image

tshark unable to cope with fragmented/segmented messages?

I need to pre-filter huge (multiple GBytes) SIP traces and want to do that using tshark.
tshark. These days several SIP messages are spanning more than a single IP packet or TCP segment.
segment. Thus my expectation is that tshark will reassemble those big SIP messages, apply the filter expression and then write the selected messages - including ALL frames a message consists of - into an output pcap file which I may analyze in detail with Wireshark.
Wireshark. For example (tshark version 3.4.9):

tshark -Y "sip.Method==INVITE" -r input.pcap -w output.pcap
output.pcap

But it doesn't work as required.
required. When input file contains SIP messages occupying multiple IP packets, tshark only writes one of the packets to output file.

I use this file for demonstration: SIP example trace

Loading into Wireshark and apply "sip.Method==INVITE" for filter shows:
shows: (Info column has been cut for these displays.)

 No. Source      Destination    Length Info
   1 217.0.21.65 84.146.135.221   1445 Request: INVITE sip:[email protected]
2076 217.0.21.65 84.146.135.221    591 Request: INVITE sip:[email protected]
3916 217.0.21.65 84.146.135.221   1447 Request: INVITE sip:[email protected]

Actually message in frame 2076 consists of two IP packets.
packets. Writing these messages into file using "Export Specified Packets" with Packet Range "All Packets" as "Displayed" works as expected, Wireshark includes the additional IP packet.

 No. Source      Destination    Length Info
   1 217.0.21.65 84.146.135.221   1445 Request: INVITE sip:[email protected]
   2 217.0.21.65 84.146.135.221   1518 Fragmented IP protocol...  [Reassembled in #3]
   3 217.0.21.65 84.146.135.221    591 Request: INVITE sip:[email protected]
   4 217.0.21.65 84.146.135.221   1447 Request: INVITE sip:[email protected]

When using tshark with command line shown above, only the last IP packet of the big SIP message is included in output file.

 No. Source      Destination    Length Info
   1 217.0.21.65 84.146.135.221   1445 Request: INVITE sip:[email protected]
   2 217.0.21.65 84.146.135.221    591 Fragmented IP protocol (proto=UDP 17, off=1472)
   3 217.0.21.65 84.146.135.221   1447 Request: INVITE sip:[email protected]

This is quite useless...
useless... Similar happens with big SIP messages if TCP is used for transport.

It's said that tshark will respect the Wireshark protocol settings, e.g. message reassembly etc.
etc. As it works with Wireshark itself I'd expect it does with tshark too.
too. Anyway, I tried several permutations of tshark parameters yet but didn't see any improvement.

tshark -2 -R "sip.Method==INVITE"
 "sip.Method==INVITE"
tshark -2 -R "sip.Method==INVITE" -o ip.defragment:TRUE
 ip.defragment:TRUE
tshark -2 -R "sip.Method==INVITE" -o sip.desegment_headers:TRUE
 sip.desegment_headers:TRUE

and so on...

Now, does anybody has a working/verified hint how to bring tshark to write all IP packets of big SIP messages into an output pcap file?

click to hide/show revision 3
None

updated 2021-10-15 13:36:41 +0000

grahamb gravatar image

tshark unable to cope with fragmented/segmented messages?

I need to pre-filter huge (multiple GBytes) SIP traces and want to do that using tshark. tshark.

These days several SIP messages are spanning more than a single IP packet or TCP segment. segment.

Thus my expectation is that tshark will reassemble those big SIP messages, apply the filter expression and then write the selected messages - including ALL frames a message consists of - into an output pcap file which I may analyze in detail with Wireshark. Wireshark.

For example (tshark version 3.4.9):

tshark -Y "sip.Method==INVITE" -r input.pcap -w output.pcap

But it doesn't work as required. When input file contains SIP messages occupying multiple IP packets, tshark only writes one of the packets to output file.

I use this file for demonstration: SIP example trace

Loading into Wireshark and apply "sip.Method==INVITE" for filter shows: (Info column has been cut for these displays.)

 No. Source      Destination    Length Info
   1 217.0.21.65 84.146.135.221   1445 Request: INVITE sip:[email protected]
2076 217.0.21.65 84.146.135.221    591 Request: INVITE sip:[email protected]
3916 217.0.21.65 84.146.135.221   1447 Request: INVITE sip:[email protected]

Actually message in frame 2076 consists of two IP packets. packets.

Writing these messages into file using "Export Specified Packets" with Packet Range "All Packets" as "Displayed" works as expected, Wireshark includes the additional IP packet.

No. Source      Destination    Length Info
  1 217.0.21.65 84.146.135.221   1445 Request: INVITE sip:[email protected]
  2 217.0.21.65 84.146.135.221   1518 Fragmented IP protocol...  [Reassembled in #3]
  3 217.0.21.65 84.146.135.221    591 Request: INVITE sip:[email protected]
  4 217.0.21.65 84.146.135.221   1447 Request: INVITE sip:[email protected]

When using tshark with command line shown above, only the last IP packet of the big SIP message is included in output file.

No. Source      Destination    Length Info
  1 217.0.21.65 84.146.135.221   1445 Request: INVITE sip:[email protected]
  2 217.0.21.65 84.146.135.221    591 Fragmented IP protocol (proto=UDP 17, off=1472)
  3 217.0.21.65 84.146.135.221   1447 Request: INVITE sip:[email protected]

This is quite useless... useless...

Similar happens with big SIP messages if TCP is used for transport.

It's said that tshark will respect the Wireshark protocol settings, e.g. message reassembly etc. etc.

As it works with Wireshark itself I'd expect it does with tshark too. too.

Anyway, I tried several permutations of tshark parameters yet but didn't see any improvement.

tshark -2 -R "sip.Method==INVITE"
tshark -2 -R "sip.Method==INVITE" -o ip.defragment:TRUE
tshark -2 -R "sip.Method==INVITE" -o sip.desegment_headers:TRUE

and so on...

Now, does anybody has a working/verified hint how to bring tshark to write all IP packets of big SIP messages into an output pcap file?

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2