Marv <marv@...> writes:
> I have a problem reading pcap files
> that have fragmented packets with tshark. My expectaion is tshark will
> re-assemble the fragmented IP packets before it passes them to the
> higher layer dissectors. But this doesnt appear to happen. If I open the
> same file with the Wireshark GUI application it does this fine.
> Should I be able to do this with tshark on the command line? I have
> tried various tshark versions and get the same result. 1.4x, 1.6.7 and
> 1.8.2. I have also tried overriding the default sip.defragment option.
You can try using the "-2" option so that tshark performs a 2-pass analysis.
But be aware that there appears to be a bug with that option that you might run
into: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8101
NOTE: "-2" is for Wireshark 1.8 or later. Prior to that, it was the
undocumented "-P" option.