Wireshark-users: Re: [Wireshark-users] tshark - Issues with IP Defragmentation - SIP

From: Christopher Maynard <Christopher.Maynard@xxxxxxxxx>
Date: Fri, 8 Feb 2013 17:37:41 +0000 (UTC)
Marv <marv@...> writes:

> I have a problem reading pcap files 
> that have fragmented packets with tshark. My expectaion is tshark will 
> re-assemble the fragmented IP packets before it passes them to the 
> higher layer dissectors. But this doesnt appear to happen. If I open the
>  same file with the Wireshark GUI application it does this fine.
> Should I be able to do this with tshark on the command line? I have 
> tried various tshark versions and get the same result. 1.4x, 1.6.7 and 
> 1.8.2. I have also tried overriding the default sip.defragment option.

You can try using the "-2" option so that tshark performs a 2-pass analysis. 
But be aware that there appears to be a bug with that option that you might run
into: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8101

NOTE: "-2" is for Wireshark 1.8 or later.  Prior to that, it was the
undocumented "-P" option.