mzhan017's profile - activity

I have captured on pcap with gre traffic. and could filter out the gre traffic by:

[root@vmtca-2101 mzhan017]# tshark -r ims_merged_bad.pcap  "ip.proto == 47"
Running as user "root" and group "root". This could be dangerous.
42037 144.861194     10.0.0.7 → 55.0.0.5     IPv4 1512 Fragmented IP protocol (proto=UDP 17, off=0, ID=079a)
42039 144.861213     10.0.0.7 → 55.0.0.5     IPv4 69 Fragmented IP protocol (proto=UDP 17, off=1448, ID=079a)

These two fragments are one SIP INVITE message.

So I tried to filter the SIP with following command.

tshark -2 -r ims_merged_bad.pcap -R "ip.proto == 47"   "sip.CSeq.method==\"INVITE\""

But couldn't get the INVITE message out.

Does tshark support this kind of re-assemble? Any suggestion for this demand?

Thanks, Mark

Seems expected for tunnel mode, from code of kernel. xfrm_input .... if (x->outer_mode->flags & XFRM_M

Could tshark capture the de-encrypted packet when receiving ESP? We encounter one problem: When using tshark to captu

hello cmaynard, sorry for misleading. I pasted wrong command. It should be -R.

How to let tshark reassemble the fragments on GRE? I have captured on pcap with gre traffic. and could filter out the gr

Hello Grahamb, Thanks for your support. Yes, with -o option, the SIP INVITE could be showed. Does this mean, tshark has

By the way, the fragments happened on IP over GRE.

How to let tshark reassemble the fragments on GRE? I have captured on pcap with gre traffic. and could filter out the gr