I have captured on pcap with gre traffic. and could filter out the gre traffic by: [root@vmtca-2101 mzhan017]# tshark -r ims_merged_bad.pcap "ip.proto == 47" Running as user "root" and group "root". This could be dangerous. 42037 144.861194 10.0.0.7 → 55.0.0.5 IPv4 1512 Fragmented IP protocol (proto=UDP 17, off=0, ID=079a) 42039 144.861213 10.0.0.7 → 55.0.0.5 IPv4 69 Fragmented IP protocol (proto=UDP 17, off=1448, ID=079a)
These two fragments are one SIP INVITE message.
So I tried to filter the SIP with following command. tshark -2 -r ims_merged_bad.pcap -Y "ip.proto == 47" "sip.CSeq.method==\"INVITE\""
But couldn't get the INVITE message out.
Does tshark support this kind of re-assemble? Any suggestion for this demand?
Thanks, Mark