Revision history  [back]

I have captured on pcap with gre traffic. and could filter out the gre traffic by:

[root@vmtca-2101 mzhan017]# tshark -r ims_merged_bad.pcap  "ip.proto == 47"
Running as user "root" and group "root". This could be dangerous.
42037 144.861194     10.0.0.7 → 55.0.0.5     IPv4 1512 Fragmented IP protocol (proto=UDP 17, off=0, ID=079a)
42039 144.861213     10.0.0.7 → 55.0.0.5     IPv4 69 Fragmented IP protocol (proto=UDP 17, off=1448, ID=079a)

These two fragments are one SIP INVITE message.

So I tried to filter the SIP with following command.

tshark -2 -r ims_merged_bad.pcap -R -Y "ip.proto == 47"   "sip.CSeq.method==\"INVITE\""

But couldn't get the INVITE message out.

Does tshark support this kind of re-assemble? Any suggestion for this demand?

Thanks, Mark

I have captured on pcap with gre traffic. and could filter out the gre traffic by:

by:
[root@vmtca-2101 mzhan017]# tshark -r ims_merged_bad.pcap  "ip.proto == 47"
Running as user "root" and group "root". This could be dangerous.
42037 144.861194     10.0.0.7 → 55.0.0.5     IPv4 1512 Fragmented IP protocol (proto=UDP 17, off=0, ID=079a)
42039 144.861213     10.0.0.7 → 55.0.0.5     IPv4 69 Fragmented IP protocol (proto=UDP 17, off=1448, ID=079a)

These two fragments are one SIP INVITE message.

So I tried to filter the SIP with following command.

command.
tshark -2 -r ims_merged_bad.pcap -Y "ip.proto == 47"   "sip.CSeq.method==\"INVITE\""

But couldn't get the INVITE message out.

Does tshark support this kind of re-assemble? Any suggestion for this demand?

Thanks, Mark