Revision history [back]
How to let tshark reassemble the fragments on GRE?
I have captured on pcap with gre traffic. and could filter out the gre traffic by:
[root@vmtca-2101 mzhan017]# tshark -r ims_merged_bad.pcap "ip.proto == 47"
Running as user "root" and group "root". This could be dangerous.
42037 144.861194 10.0.0.7 → 55.0.0.5 IPv4 1512 Fragmented IP protocol (proto=UDP 17, off=0, ID=079a)
42039 144.861213 10.0.0.7 → 55.0.0.5 IPv4 69 Fragmented IP protocol (proto=UDP 17, off=1448, ID=079a)
These two fragments are one SIP INVITE message.
So I tried to filter the SIP with following command.
tshark -2 -r ims_merged_bad.pcap -R "ip.proto == 47" "sip.CSeq.method==\"INVITE\""
But couldn't get the INVITE message out.
Does tshark support this kind of re-assemble? Any suggestion for this demand?
Thanks, Mark
How to let tshark reassemble the fragments on GRE?
I have captured on pcap with gre traffic. and could filter out the gre traffic by:
[root@vmtca-2101 mzhan017]# tshark -r ims_merged_bad.pcap "ip.proto == 47"
Running as user "root" and group "root". This could be dangerous.
42037 144.861194 10.0.0.7 → 55.0.0.5 IPv4 1512 Fragmented IP protocol (proto=UDP 17, off=0, ID=079a)
42039 144.861213 10.0.0.7 → 55.0.0.5 IPv4 69 Fragmented IP protocol (proto=UDP 17, off=1448, ID=079a)
These two fragments are one SIP INVITE message.
So I tried to filter the SIP with following command.
tshark -2 -r ims_merged_bad.pcap -R -Y "ip.proto == 47" "sip.CSeq.method==\"INVITE\""
But couldn't get the INVITE message out.
Does tshark support this kind of re-assemble? Any suggestion for this demand?
Thanks, Mark
How to let tshark reassemble the fragments on GRE?
I have captured on pcap with gre traffic. and could filter out the gre traffic by:
by:
[root@vmtca-2101 mzhan017]# tshark -r ims_merged_bad.pcap "ip.proto == 47"
Running as user "root" and group "root". This could be dangerous.
42037 144.861194 10.0.0.7 → 55.0.0.5 IPv4 1512 Fragmented IP protocol (proto=UDP 17, off=0, ID=079a)
42039 144.861213 10.0.0.7 → 55.0.0.5 IPv4 69 Fragmented IP protocol (proto=UDP 17, off=1448, ID=079a)
ID=079a) These two fragments are one SIP INVITE message.
So I tried to filter the SIP with following command.
command.
tshark -2 -r ims_merged_bad.pcap -Y "ip.proto == 47" "sip.CSeq.method==\"INVITE\""
"sip.CSeq.method==\"INVITE\"" But couldn't get the INVITE message out.
Does tshark support this kind of re-assemble? Any suggestion for this demand?
Thanks, Mark