First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

tshark unable to cope with fragmented/segmented messages?

I need to pre-filter huge (multiple GBytes) SIP traces and want to do that using tshark.

These days several SIP messages are spanning more than a single IP packet or TCP segment.

Thus my expectation is that tshark will reassemble those big SIP messages, apply the filter expression and then write the selected messages - including ALL frames a message consists of - into an output pcap file which I may analyze in detail with Wireshark.

For example (tshark version 3.4.9):

tshark -Y "sip.Method==INVITE" -r input.pcap -w output.pcap

But it doesn't work as required. When input file contains SIP messages occupying multiple IP packets, tshark only writes one of the packets to output file.

I use this file for demonstration: SIP example trace

Loading into Wireshark and apply "sip.Method==INVITE" for filter shows: (Info column has been cut for these displays.)

 No. Source      Destination    Length Info
   1 217.0.21.65 84.146.135.221   1445 Request: INVITE sip:[email protected]
2076 217.0.21.65 84.146.135.221    591 Request: INVITE sip:[email protected]
3916 217.0.21.65 84.146.135.221   1447 Request: INVITE sip:[email protected]

Actually message in frame 2076 consists of two IP packets.

Writing these messages into file using "Export Specified Packets" with Packet Range "All Packets" as "Displayed" works as expected, Wireshark includes the additional IP packet.

No. Source      Destination    Length Info
  1 217.0.21.65 84.146.135.221   1445 Request: INVITE sip:[email protected]
  2 217.0.21.65 84.146.135.221   1518 Fragmented IP protocol...  [Reassembled in #3]
  3 217.0.21.65 84.146.135.221    591 Request: INVITE sip:[email protected]
  4 217.0.21.65 84.146.135.221   1447 Request: INVITE sip:[email protected]

When using tshark with command line shown above, only the last IP packet of the big SIP message is included in output file.

No. Source      Destination    Length Info
  1 217.0.21.65 84.146.135.221   1445 Request: INVITE sip:[email protected]
  2 217.0.21.65 84.146.135.221    591 Fragmented IP protocol (proto=UDP 17, off=1472)
  3 217.0.21.65 84.146.135.221   1447 Request: INVITE sip:[email protected]

This is quite useless...

Similar happens with big SIP messages if TCP is used for transport.

It's said that tshark will respect the Wireshark protocol settings, e.g. message reassembly etc.

As it works with Wireshark itself I'd expect it does with tshark too.

Anyway, I tried several permutations of tshark parameters yet but didn't see any improvement.

tshark -2 -R "sip.Method==INVITE"
tshark -2 -R "sip.Method==INVITE" -o ip.defragment:TRUE
tshark -2 -R "sip.Method==INVITE" -o sip.desegment_headers:TRUE

and so on...

Now, does anybody has a working/verified hint how to bring tshark ... (more)

HorstMeier's avatar
1
HorstMeier
asked 2021-10-15 12:57:39 +0000
grahamb's avatar
23.8k
grahamb
updated 2021-10-15 13:36:41 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

1

Using tshark -2 -Y "sip.Method==INVITE" -r input.pcap -w output.pcap works for me. I get four packets in the output file:

> tshark -r C:\temp\out.pcapng -T fields -e frame.number -e ip.src -e ip.dst -e frame.len -e _ws.col.Info
1  217.0.21.65  84.146.135.221  1445    Request: INVITE sip:[email protected]
2  217.0.21.65  84.146.135.221  1518    Fragmented IP protocol (proto=UDP 17, off=0, ID=38fc)
3  217.0.21.65  84.146.135.221  591     Request: INVITE sip:[email protected]
4  217.0.21.65  84.146.135.221  1447    Request: INVITE sip:[email protected]
grahamb's avatar
23.8k
grahamb
answered 2021-10-15 13:51:31 +0000, updated 2021-10-15 13:57:03 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Wow, that was quick! "-2 -Y" was a combination I didn't try. Thanks a lot, now I have something to play with...

HorstMeier's avatar HorstMeier (2021-10-15 14:14:59 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer