First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Different protocols recognized by tshark on Windows and Linux

I am investigating a capture file where some SIP messages arrive in the wrong order (out-of-order segments). If I observe the packet layers of the particular segment, I get different results on Windows and Linux machines.

Both on Linux and Windows the tshark command is the following (i am looking for frame no. 650):

tshark -r ooo.pcap -T fields -e frame.protocols frame.number==650

However the outputs of the command are different on different OSs:

Windows output:

sll:ethertype:ip:tcp:sip:sdp

Linux output (CentOS 7):

sll:ethertype:ip:tcp

It seems like the Linux version cannot detect the sip layer. On sip packets that are not out-of-order both versions read the sip layer correctly.

How does this happen? Is there a settings field that has different default value on linux&windows?

Both Wireshark(tshark) versions are the same (3.0.6), and the 'ooo.pcap' file is also identical.

mibognar's avatar
1
mibognar
asked 2019-11-13 08:54:43 +0000
edit flag offensive 0 remove flag close merge delete

Comments

1

Check tcp preferences on both machines.

Anders's avatar Anders (2019-11-13 09:14:25 +0000) edit
more
  • delete

Thanks, amazing! tcp.reassemble_out_of_order:TRUE did it. It looks like somehow wireshark defaults this value differently on the two OSs.

mibognar's avatar mibognar (2019-11-13 09:50:09 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

As Anders' comment suggested, there is a preference setting tcp.reassemble_out_of_orderthat defaults to False on installation. The preference file is modified by the wireshark gui, this caused my windows cmd tshark to reassemble the out-of-order segments, as I ticked it when I was reading the file on the gui. In linux tshark (without a gui in my case) however you need to overwrite this parameter when running the command like this:

tshark -o tcp.reassemble_out_of_order:TRUE -r ooo.pcap -T fields -e frame.protocols frame.number==650
mibognar's avatar
1
mibognar
answered 2019-11-13 10:24:12 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Note that the preference defaults are the same for all platforms, although they may have changed between versions so it's entirely possible to pick up user modified preferences from an earlier version that appear to cause differences between platforms.

Any preference changes between platforms (when using the same version) are entirely down to user changes.

grahamb's avatar grahamb (2019-11-13 11:04:39 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer