Hi, i am using tshark on Linux and i wrote a script that finds number of SIP packets over SIP ports and IPs. My script capture tshark for 10 seconds then count the number of SIP packets according to some filters. I checked the pcap file that created by my script on wireshark. According to filter in the script i saw there is 0 packet on wireshark. The filter i use in the script is below:
sip && !sip.CSeq.method == OPTIONS && ip.src == "[SOURCE_IP]" && udp.srcport == 5060
But when we analyze the same pcap from another wireshark and we saw that there is 10 packets according to above filter. After some research we realized that difference is in the preferences of IPv4 protocol. When we disabled the "Reassemble Fragmented IPv4 datagrams" preference in IPv4 protocol in my wireshark we saw that there is 10 packets. So i need the disable this feature on tshark Linux. However i can not find a way to do it. Do you know if there is a way to disable "Reassemble Fragmented IPv4 datagrams" option for tshark?
