Wireshark-users: [Wireshark-users] how to enable ip reassembly in tshark
|
Hi wireshark supporter, I installed wireshark software on my Ubuntu 16.04, and when I using
tshark to capture packets, I found that one of the sip packet which is more than 1500bytes is fragmented as
two ip packets. But if I using wireshark to capture all the sip packets can be shown
completely, the bigger sip packet which is more than 1500 bytes can be displayed in
one packet
in wireshark. My tshark and wireshark version is 2.2.6. So I’m confused, then I checked the preference of wireshark, and found that
ip reassembly is enabled by default, you can reference as below screen shots:
Now I need do some automation about capture packet and analyze packets, so it’s difficult to me if the sip message is fragmented as IP packets.
Is there any solution for this problem? Expect for your response and thanks for your strong support! Br Lily |
- Follow-Ups:
- Re: [Wireshark-users] how to enable ip reassembly in tshark
- From: Jaap Keuter
- Re: [Wireshark-users] how to enable ip reassembly in tshark
- Prev by Date: [Wireshark-users] Dissect independently from the port number
- Next by Date: Re: [Wireshark-users] how to enable ip reassembly in tshark
- Previous by thread: [Wireshark-users] Dissect independently from the port number
- Next by thread: Re: [Wireshark-users] how to enable ip reassembly in tshark
- Index(es):