Wireshark mailing list archives
Re: how to enable ip reassembly in tshark
From: Jaap Keuter <jaap.keuter () xs4all nl>
Date: Sat, 9 Dec 2017 13:52:39 +0100
Hi, Tshark would be using the same preferences as Wireshark does (barring any profile changes), so should be reassembling the IP fragments into complete UDP packets with SIP payload. If not, you can always add -o ip.defragment:TRUE to the Tshark command line to have this option set. Thanks, Jaap
On 8 Dec 2017, at 10:06, Wenling Li -X (wenlli - CIeNET at Cisco) <wenlli () cisco com> wrote: Hi wireshark supporter, I installed wireshark software on my Ubuntu 16.04, and when I using tshark to capture packets, I found that one of the sip packet which is more than 1500bytes is fragmented as two ip packets. But if I using wireshark to capture all the sip packets can be shown completely, the bigger sip packet which is more than 1500 bytes can be displayed in one packet in wireshark. My tshark and wireshark version is 2.2.6. So I’m confused, then I checked the preference of wireshark, and found that ip reassembly is enabled by default,
[SNIP]
Now I need do some automation about capture packet and analyze packets, so it’s difficult to me if the sip message is fragmented as IP packets. Is there any solution for this problem? Expect for your response and thanks for your strong support! Br Lily
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- how to enable ip reassembly in tshark Wenling Li -X (wenlli - CIeNET at Cisco) (Dec 08)
- Re: how to enable ip reassembly in tshark Jaap Keuter (Dec 09)