Wireshark · Wireshark-users: Re: [Wireshark-users] how to enable ip reassembly in tshark

Wireshark-users: Re: [Wireshark-users] how to enable ip reassembly in tshark

From: Jaap Keuter <jaap.keuter@xxxxxxxxx>

Date: Sat, 9 Dec 2017 13:52:39 +0100

Hi,

Tshark would be using the same preferences as Wireshark does (barring any profile changes), so should be reassembling the IP fragments into complete UDP packets with SIP payload.

If not, you can always add -o ip.defragment:TRUE to the Tshark command line to have this option set.

Thanks,

Jaap

On 8 Dec 2017, at 10:06, Wenling Li -X (wenlli - CIeNET at Cisco) <wenlli@xxxxxxxxx> wrote:

Hi wireshark supporter,

I installed wireshark software on my Ubuntu 16.04, and when I using tshark to capture packets, I found that one of the sip packet which is more than 1500bytes is fragmented as two ip packets.

But if I using wireshark to capture all the sip packets can be shown completely, the bigger sip packet which is more than 1500 bytes can be displayed in one packet in wireshark.

My tshark and wireshark version is 2.2.6.

So I’m confused, then I checked the preference of wireshark, and found that ip reassembly is enabled by default,

[SNIP]

Now I need do some automation about capture packet and analyze packets, so it’s difficult to me if the sip message is fragmented as IP packets.
Is there any solution for this problem? Expect for your response and thanks for your strong support!

Br
Lily

References:
- [Wireshark-users] how to enable ip reassembly in tshark
  - From: Wenling Li -X (wenlli - CIeNET at Cisco)

Prev by Date: [Wireshark-users] how to enable ip reassembly in tshark
Next by Date: [Wireshark-users] Display filter on smb2.fid
Previous by thread: [Wireshark-users] how to enable ip reassembly in tshark
Next by thread: [Wireshark-users] Display filter on smb2.fid
Index(es):
- Date
- Thread