Wireshark-bugs: [Wireshark-bugs] [Bug 3981] TCP SIP (not UDP) packets not saving correctly using

Date: Sun, 6 Sep 2009 12:39:54 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3981





--- Comment #1 from Sake <sake@xxxxxxxxxx>  2009-09-06 12:39:53 PDT ---
(In reply to comment #0)
> Is it possible to view the traces correctly as I will have 
> to carry out the test again if not. I have attached an 
> example together with the full trace.

Yes you can, you can use the filter string "udp.port==5060 || tcp.port==5060"
instead of the filter "sip". It results in 272 packets instead of 146 in your
partial file. The other 126 packets are (tcp) fragments of reassebled SIP PDU's
(ie SIP PDU's that spanned more than 1 tcp segments).

The bottom line is that when there are reassembled PDU's matching your display
filter, only the frames containing the last segment are saved by wireshark.
Also, the three way handshake and ACK's are not displayed (and thus not saved)
when using a higher layer filter like "sip". If that was indeed the purpose,
you can use the filter "udp.port==5060 || (tcp.port==5060 and tcp.len>0)".


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.