tshark filtering with SCTP segmentation not working?
Hello all,
I am facing an issue using tshark for SCTP segmented frames.
I have SIP traffic coming over SCTP. SIP packet is segmented into 2 SCTP data chunks. I have it stored into a input.pcapng file. I use the following command to filter this:
tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -o sctp.reassembly:TRUE -r input.pcapng -w output.pcapng
Or
tshark -2 -Y 'sip.r-uri.host == "xxx.yyy.com"' -r input.pcapng -w output.pcapng
But the output file contains only the SCTP segment in which the packet is reassembled.
Problems:
- Output file does not contain the correct frame containing segment which has matching filter. It shows the segment which did the reassembly.
- It does not show both the segments in output file.
Questions:
- What can be the reason and how can I resolve above problems?
Note:
I tried the same with IP fragmentation (I have a SIP packet fragmented into 2 IP fragments) and after SIP header based filtering, I see the both fragments are written to output file. So this seems to be working for IP fragmentation.
I tried SIP with TCP segmentation and tshark filtering outputs all TCP segments corresponding to SIP packet. I also tried Diameter with TCP segmentation and tshark filtering outputs all TCP segments corresponding to that Diameter packet.
Hence the above problem looks to be specific to SCTP segmentation.
Thanks in advance,
Amit
Comments
@amit_wireshark, Note I "fixed" the question to use our normal markdown formatting for code and ordered lists and reapplied the same after your last edit.
What version of Wireshark? Please raise a bug report including an example pcap.
Thank you for response. I have submitted a bug.
https://bugs.wireshark.org/bugzilla/s...